Embed Size (px)
Citation preview
1
International Association of Penal Law / Association Internationale de Droit
Pénal (AIDP)
XIX International Congress of Penal Law: ”Information Society and Penal Law”
(Rio de Janeiro, Brazil, September 2014)
Preparatory Colloquium Section 4 (international criminal law)
9–12 June 2013 in Helsinki, Finland
General Report
International criminal law in the cyber world, how to apply the rule of law in an
area of shared sovereignty
General Rapporteur prof. André Klip, Maastricht University
1. International criminal law in the information society
1.1 Connecting the physical world with the virtual world
The changes brought about by new computer and telecommunication technologies to
our society are enormous and whilst ongoing, it is not exaggerating to state that they
have dramatic consequences for various aspects of criminal law and criminal
procedure. This justifies renewed attention to this issue within our association. It is
not the first time that the AIDP looked into the topic of information law, albeit quite
some years ago, and things have changed drastically.1
The globalization of our society has the consequence that human behaviour may have
its effect at many more locations than the place where the initiator of the conduct
acted. Google earth, Street View, and Facebook and Hyves make clear to us that for
many there is little that others may not be able to see. More and more people are
online all the time with cell phones, Ipads or navigation systems. Big Brother is now
finally watching us, we leave traces wherever we go.
The world of crime follows (or some may even say is ahead of) the legal world. New
technologies, such as telecommunication, computers and the world wide web may be
both an useful tool as an interesting goal to commit an offence. Hackers may enter a
network or an individual computer located in one state from a computer located at the
other side of the world. Hate speech may be uttered through twitter, email messages
or you tube tapes and have a global expansion. Cyber attacks may demolish or lame
information networks, online banking systems and government servers.2
With regard to the investigations into crimes committed in modern times, the
information society raises new legal questions. The investigation into an international
1 See the General Report by Cole Durham, The Emerging Structures of Criminal Information Law:
Tracing the Contours of a New Paradigm, 64 RIDP 1993, p. 79-117. 2 See various examples mentioned France 2.
2
network for the production of child pornography and the dissemination of its products
may require to visit websites, to enter their protected areas, to look into mail boxes, to
analyze discussion and news groups and to identify the individual IP-addresses of
computers. Cloud computing3 raises the question of where data are stored and which
legislation applies to it.4 Also wireless communication poses new problems to law
enforcement agencies, because the transmission of data may involve various states or
international organizations. The person using a cell phone in one state may converse
with a person in another state. However, the satellite(s) transmitting the conversation
may be owned by other states or private parties and located in space. What does this
mean for the possibilities of intercepting the conversation?
In times in which there are various situations in which it is important to have a certain
position of information that will enable the state to prevent or respond to terrorist
attacks, states have concluded so called Passenger Name Record agreements. In
addition, states have developed (common) databases that may be consulted directly
without intervention of the state that supplied the information. For instance, among
Member States of the European Union, DNA-databases allow direct consultation to
check whether a new sample matches DNA-profiles already present in the national
databases of other states.
Thus far, despite its presence for quite some decades already, the emergence of cyber
crime did not lead to much legislative activity on the international level. The main
documents are the Convention on Cybercrime,5 and its Additional Protocol to the
Convention on cybercrime, concerning the criminalization of acts of a racist and
xenophobic nature committed through computer systems. The drafters of the
Convention on Cybercrime did relate the necessity of the convention to developments
in the society as a whole.6 Cyber crime is regarded as a common problem. In our
times there will not be many subjects that are so inherently linked with an
3 Cloud computing is defined as “a model for enabling ubiquitous, convenient, on-demand network
access to a shared pool of configurable resources (e.g., networks, servers, storage, applications, and
services) that can be rapidly provisioned and released with minimal management effort or service
provider interaction.” Peter Mell and Timothy Grance, The NIST definition of Cloud Computing 2011,
Special Publication 800-145, National Institute of Standards and Technology. 4 See Laviero Buono, the Global Challenge of Cloud Computing and EU Law, Eucrim 2010, p. 117-
124. 5 Budapest, 23 November 2001, ETS 185, 39 ratifications as of 26 May 2013. Most states that
submitted a National Report are a party. It was ratified by Belgium, Denmark, Finland, France,
Germany, Italy, Japan, Netherlands, Spain, Switzerland and the United States. It was only signed by
Poland, Sweden and Turkey. The Additional Protocol received 20 ratifications as of 26 May 2013. Of
the reporting states it was ratified by Denmark, Finland, France, Germany and the Netherlands. The
additional Protocol has been only signed by Belgium, Italy, Poland, Sweden and Switzerland. 6 In the preamble to the Convention on Cybercrime the necessity of international legislation in a global
information society has been described with the following arguments: “Convinced of the need to
pursue, as a matter of priority, a common criminal policy aimed at the protection of society against
cybercrime, inter alia, by adopting appropriate legislation and fostering international co-operation;
Conscious of the profound changes brought about by the digitalisation, convergence and continuing
globalisation of computer networks; Concerned by the risk that computer networks and electronic
information may also be used for committing criminal offences and that evidence relating to such
offences may be stored and transferred by these networks; Recognising the need for co-operation
between States and private industry in combating cybercrime and the need to protect legitimate
interests in the use and development of information technologies; Believing that an effective fight
against cybercrime requires increased, rapid and well-functioning international co-operation in criminal
matters.”
3
international dimension and therefore make it difficult for states to act and legislate
individually.
The definitions used in Article 1 of the Convention on Cybercrime are used in this
report. In addition, cyber crime is understood to cover criminal conduct that affects
interests associated with the use of information and communication technology (ICT),
such as the proper functioning of computer systems and the internet, the privacy and
integrity of data stored or transferred in or through ICT, or the virtual identity of
internet users. The common denominator and characteristic feature of all cyber crime
offences and cyber crime investigation can be found in their relation to computer
systems, computer networks and computer data on the one hand and to cyber systems,
cyber networks and cyber data on the other hand. Cyber crime covers offenses
concerning traditional computers as well as cloud cyber space and cyber databases.
Without lifting the veil too early in this report it must already be mentioned that there
is a general concern amongst National Rapporteurs to consider their national
legislation to be insufficient vis-à-vis the problems that cybercrime pose.7 The
Brazilian report phrases this in its opening statement as follows: “A pesar de que la
importancia de Brasil en el mundo es cada vez mayor y que el país está cada vez está
más integrado en las relaciones internacionales y las actividades económicas globales,
la legislación penal brasileña en materia de crímenes informáticos es reciente y aún
incipiente.”8 In the French Report it is called for a more modern legislation adjusted to
the needs of our times: “Face à la mondialisation des risques, il n'est certes pas
inconcevable d'imaginer une mondialisation de la réponse et d'instaurer une sorte de
lex paenalia electronica. Mais on en est loin ! Quoi qu'il en soit, les normes destinées
à encadrer les activités se déroulant dans le cyberespace sont perfectibles. Elles ne
sont d'ailleurs pas seulement « territorialisées ». Elles sont aussi, de plus en plus, «
internationalisées».”9
Developments in the legal world have always had parallel consequences in the world
of crime and the ways to combat crime. In essence, the main question for this General
Report is: what are the implications of the global society becoming an information
society for international criminal law? This will be done with regard to the various
relevant aspects and in the following structure. First jurisdiction and locus delicti
issues will be dealt with, as these determine whether the substantive criminal law of a
state is applicable to the conduct (par. 2). Subsequently, the possibilities for
investigating in the world of cyberspace will be looked at, especially in view of
determining whether these are measures of a purely national character or with an
transnational dimension (par. 3). Paragraph 4 focuses on mutual assistance in criminal
matters. To what extent can the assistance between states cope with or make use of
new developments? The difficulties of criminal law enforcement in the clouds are the
topic of paragraph 5. Modern technology may also have consequences for the way the
criminal proceedings are conducted in court. Paragraph 6 explores the current
practices and the possibilities for the future. Paragraph 7 identifies the problems that
7 Draft Resolution 1 relates to this problem: “States should develop a coherent response to the
challenge of cybercrime, in particular by keeping their legislation and practice under review in order to
ensure that their criminal law, criminal procedure and mutual legal assistance regimes meet the needs
of today’s interconnected globalised world.” 8 Brazil 1.
9 France 13.
4
come up in ensuring human rights in cyberspace. Concluding observations are made
in paragraph 8.
Attached to the General Report are draft Resolutions which were adopted by the
participants to the preparatory colloquium held in Helsinki on 9-12 June 2013. It is
referred to each an individual resolution in the text of this General Report for the
purposes of better understanding. The Resolutions should be interpreted in the context
of this General Report.
1.2 Purpose of the General Report
It is the task of the General Report to identify the issues that are at stake. Which issues
related to the information society in criminal law appear on the horizon? This picture
will contribute to making an analysis of the various aspects of information society and
international criminal law, to raise further questions to stimulate the debate and to
suggest solutions. Section IV of the AIDP is traditionally the section in which the
various elements of the other three sections come together. The General Rapporteur is
aware of the potential overlap with issues dealt with in each of the other three
sections. However, this is an inherent aspect to this topic.
Following the well-proven methodology within the AIDP, the General Reporteur
obtains his information from the national reports submitted by the National Groups
that have nominated their National Rapporteurs. The National reports were framed
according to the Questionnaire drafted by the General Reporteur in consultation with
the Scientific Committee of the AIDP. In several meetings all four general
Rapporteurs, Emilio Viano, Thomas Weigend, Johannes Nijboer10
and André Klip
discussed the draft questionnaires intensively. I enjoyed the high level of the debate
and the inspiring atmosphere very much. The General Rapporteur expresses his
gratitude to all National Rapporteurs for the time and effort they have put in
delivering such a high quality of reports, offering a wide variety of approaches and
giving much food for thought. The collection of National Reports is a source of
inspiration to explore. It is offers an enriching comparative perspective on various
legal systems across the world.
Writing this report was a challenging, but also pleasant task, as the national reports
offer a lot to learn. In this context I refer to the French Report that distinguishes three
approaches to cybercrime: a semantic approach, a criminological approach and a legal
approach. In essence it focuses on the question that is central to this report as well:
“l'un des aspects qui est au cœur de la problématique du droit pénal de l'internet : dans
quelle mesure ce droit prend-il en compte à la fois l'ubiquité et l'immédiateté qui
caractérisent les flux d'information sur le Web ?”11
This General Report profited from the input of seventeen National Reports of the
following national groups: Argentina,12
Belgium,13
Brazil,14
China,15
Denmark,16
10
In April we received the sad news that Hans Nijboer passed away on 13 April 2013. He was a
charming and inspiring colleague, who is missed by many. 11
France 1. 12
Javier Augusto De Luca, Marcelo Riquert, Christián C. Sueiro, María Ángeles Ramos and Francisco
Figueroa.
5
Finland,17
France,18
Germany,19
Italy,20
Japan,21
the Netherlands,22
Poland,23
Spain,24
Sweden,25
Switzerland,26
Turkey,27
and the United States.28
When referring to the
national reports, the country will be mentioned, as well as the page of the original
format submitted to the General Rapporteur.
2. Jurisdiction and Locus Delicti
Jurisdictional principles
In their answers to the questionnaire, the national reports by and large state that their
states apply the regular principles of jurisdiction. States apply classical principles of
jurisdiction, such as the principles of territoriality, active and passive nationality/
personality, domicile and universality. States did not develop new jurisdictional
principles in relation to cyber crime and apply the already existing principles.29
It
seems that the only country that has amended its jurisdictional principles in relation to
cybercrime is Denmark. Article 9a of the Penal Code creates jurisdiction over an
online criminal act that has a relation to Denmark.30
Whilst the United States in
principle does not apply its laws outside its territory, it does provide explicitly for
extraterritorial jurisdiction in certain cases, including cybercrime.31
In the US report it
is referred to the USA Patriot Act that gives jurisdiction if the offence involves an
access device relevant for entities in the United States. For the rest, it appears that the
existing jurisdictional principles of states are applied. Most reporters report that, given
the extensive existing jurisdiction, their state does not face severe difficulties to claim
jurisdiction.32
This is an interesting observation as the jurisdictional principles were
developed to apply to physical conduct that causes effects nearby. Apparently, they
can easily be used for digital contacts over a long distance.
Only very few states apply universal jurisdiction and if, only to some cyber crimes. It
is reported that the list of crimes for which universal jurisdiction is applied is very
13
Gert Vermeulen and Lynn Verrydt. 14
Carlos Eduardo Adriano Japiassú and Rodrigo de Souza Costa. 15
Guo Jing. 16
Jørn Vestergaard. 17
Karri Toltilla. 18
Jacques Francillon. 19
Florian Jeßberger. 20
Mariavaleria Del Tufo and Tommaso Rafaraci. 21
Takeshi Matsuda, Tadashi Iwasaki and Megumi Ochi. 22
Anne-Marie Smit. 23
Arkadiusz Lach. 24
Patricia Faraldo Cadana and María de los Ángeles Catalina Benavente. 25
Nils Rekke and Anna Graninger. 26
Sabine Gless, Anna Petrig, Dario Stagno and Jeannine Martin. 27
Murat Önok, Baris Erman and Güçlü Akyürek. 28
Bruce Zagaris. 29
Argentina 3, Sweden 1, Turkey 1, Finland 3, Poland 3, Netherlands 7 and 12, Italy 1, Brazil 2,
Denmark 1, Belgium 1, Spain 1, Germany 2, France 5, Switzerland 8, Japan 1, China 2. 30
Denmark 2. 31
United States 2 and 3. 32
Sweden 1.
6
extensive in Turkey.33
The Netherlands have universal jurisdiction over hacking as a
terrorist offence. In addition, concerning a few other offences specific jurisdiction has
been vested.34
Italy reports that once a treaty obliges the state to apply the principle of
universality, it has immediate effect in Italy.35
Locus delicti
With the growing importance of the technical developments old legal concepts may
have difficulties to keep pace. Whereas in the past it was relatively easy to locate
conduct to a specific place of commission (locus delicti), it increasingly becomes
difficult to locate conduct in cyberspace. Some authors refer to this phenomenon as
the “loss of location”.36
In the Italian National Report the term “a-territoriality”
appears.37
Similar terms can be found in the French Report: “Il s'agit en effet de
concilier le caractère spatio-temporel – délimité et stable – de la norme de droit pénal
avec le caractère global de l'espace virtuel.”38
Many differences can be found in the manner of how states determine the locus of an
offence. States may consider that an offence has been committed on its territory, if it
produces effects there. 39
The IP address of a computer points at a physical address.40
Sweden reports that if one cannot determine the locus delicti for certain, but there are
grounds to believe that the crime was committed in Sweden, it has jurisdiction.41
Danish jurisdictional law applies a wide understanding of the link with Denmark: “A
cybercrime related to pictures, sound or text disseminated from another country but
made commonly accessible for an indeterminate group of users by the internet, is
regarded as also conducted in Denmark if the material has some kind of specific
relation to Denmark, e.g. by being phrased in Danish or concerned with matters
related to a specific group of individuals living in Denmark.”42
The National report
for Belgium states that there is no specific theory for determining the locus delicti of
offences in cyberspace. What is necessary is that it must be established whether there
is a constitutive element of the offence that took place in Belgium.43
Turkey reports that any content that can be accessed from any person in Turkey can
possibly be described as a crime committed in Turkey.44
This seems to create a rather
broad jurisdiction as it also relates to content uploaded in the country and stored in
servers in Turkey. It is interesting to see that concerning the criterion that content can
33
Turkey 5. 34
Netherlands 14 and 15. 35
Italy 5. 36
Bert-Jaap Koops, Ronald Leenes, Paul De Hert and Sandra Olislaegers, Misdaad en opsporing in de
wolken, Knelpunten en kansen van cloud computing voor de Nederlandse opsporing, Tilburg Institute
for Law, Technology and Society 2012, p. 7. 37
Italy 6. 38
France 4. 39
Argentina 1, Sweden 1, United States 3, Italy 3, Brazil 2 and 3, Denmark 1, Germany 2, France 9.
See also Draft Resolution 6: “Offences may have more than one locus. States may establish a locus
delicti within their borders if conduct takes place there or causes effects there.” 40
Argentina 1, Sweden 1. 41
Sweden 1. 42
Denmark 1. 43
Belgium 2. Similarly Spain 1. 44
Turkey 1.
7
be accessed from Turkey the distinction made between “pull-technology” (described
as any method of access depending on the will of the user) and “push-technology”
(described as any method of access depending on the will of the provider or host) is
deemed to be irrelevant.45
In essence the location of the information is not relevant for
the determination of Turkish jurisdiction. It is important to note that, if the locus can
be determined in Turkey, it has the effect that neither double criminality is required
nor a transnational ne bis in idem rule applies. One of the problems with the
application of a territoriality principle based on access at the territory of the state
could be that the perpetrator may not know all the particularities of specific national
legislation.46
This is certainly true, however, one could rebut this with the argument
that perpetrators who use the internet for their activities create the risk that their
conduct might fall within the boundaries of a criminal law provision. Those who skate
on skin ice, should not be surprised to fall in the water. In this sense the suggestion in
the Turkish report, that the nexus with the territory should also depend on the will of
the perpetrator is valuable.47
We will return to this at the end of this paragraph. A
similar observation is made in the Finnish report. If the discriminating statement is
made in Finnish, it can easily be assumed that it is directed towards the Finnish
audience.48
The French use a different term, which apparently has a similar meaning
“l'enracinement social du délit.”49
It is a concept developed on the basis of case law
concerning copy rights in which the crime is either located at the place where the
owner of the copy rights has domicile or in France when the offence focuses at an
impact on the French public order.50
On the basis of Article 8 of its Penal Code, Switzerland applies the theory of the result
to determine the location.51
However, the National Report also criticizes the concept
for a lack of clarity: “to construe a place of commission in Switzerland based on the
theory of result is only possible for result offences - but not for conduct offences,
which do not feature a result as previously defined and for which, as a consequence, a
place of commission can only be located in Switzerland based on the theory of
acting.” Under Swiss law it is relevant to identify the nature of an offence as a result
or conduct offence. This means that for conduct offences, Switzerland only has
jurisdiction if the conduct can be located in Switzerland. For result offences, things
are different and there is jurisdiction if the result is felt in Switzerland.52
Because of
the distinction made between result and conduct offences under Swiss law, it is
absolutely necessary that the place of commission is identified. Also under Japanese
law, a distinction between conduct and effect is made. The National Report states:
“The dominant doctrine claims that the Japanese Penal Code can be applied in
45
Turkey 2. 46
Draft Resolution 7 is the gist of this thought: “States should exercise restraint in applying the effect
theory in situations in which the effect is not “pushed” by a perpetrator into the state, but “pulled” into
it by an individual in that state.” 47
Turkey 7. 48
Finland 5, Denmark 1 and 2. 49
France 9. See further: “Selon cette thèse, la compétence judiciaire serait déterminée par le lieu du fait
générateur (l'émission du message en l'occurrence), la compétence législative par le lieu de la
survenance du résultat (la réception du message), lorsque du moins certaines conditions se trouvent
réunies.” France 12. 50
France 10. The National Rapporteur points at the danger that the legality principle may be violated.
How should the perpetrator know whether there are sufficient indications that conduct addresses the
French society. 51
Switzerland 11. 52
Switzerland 12 and 13.
8
accordance with the principle of territorial jurisdiction (art.1) when one of the
elements of the crime, in particular, the “conduct” or the “effect” of the crime, takes
place within the territory. But some authors claim that the place of commission should
not be specified only by the “conduct” of the crime and require the “effect” to take
place in the territory in order to apply art.1 of the code.”53
For the United States the location of the place of the commission is not essential.54
Several statutes of this country can do without the determination of the locus delicti,
whereas other require showing that the computers involved must have been used in or
affect interstate or foreign commerce and computers used by the federal government
and financial institutions.55
This is especially relevant with regard to a “protected
computer”, a statutory term of the Computer Fraud and Abuse Act. With regard to
“protected computers” it is irrelevant from where the perpetrator accessed the
computer.
The law of the Netherlands poses the specific requirement that the locus of the crime
must be mentioned in the indictment. However, on the other hand, it does not need to
be described very precisely.56
The Dutch National Rapporteur raises the question
whether in the future the determination of the locus delicti in cybercrime cases may be
omitted as it does not have any added value.57
This seems to be a delicate point.
Whilst most systems maintain that determining the locus is important, they have also
found creative ways to identify a locus within their borders. The way states have done
that makes the question whether determining the location is still relevant more
pertinent. The creativity that states demonstrate in their practice of localizing an
offence within their borders has had predominantly two consequences. The first being
that criminal conduct may have more than one locus delicti. The second being that
there are numerous conflicts of jurisdiction.
Some offences are more vulnerable in this respect than other. Multiple loci delicti are
likely to appear with a crime such as public incitement to an offence: where the
message has been written, where the message was made public and where the danger
of the crime has been caused.58
Or put in a different way: “a crime is committed in a
place where the perpetrator acted or failed to act he was obliged to, or where the effect
of the crime described in the definition of the crime took place or was intended to take
place”.59
The law of the Netherlands requires a connecting link, but is rather lenient as
to what qualifies as such.60
The theory of ubiquity is applied in many states, requiring
a relevant link.61
Applied on top of broad offence definitions or collectivities of
perpetrators (organized crime, money laundering, terrorism), it results in a very broad
jurisdiction.
53
Japan 1. 54
United States 2, Poland 2. Similarly in Finland. The National Rapporteur states that there is no clear
view on the question where a cybercrime is committed (Finland 2). 55
United States 3. 56
Netherlands 10. Similarly Italy 4, Brazil 2 and 3 and Spain 1. 57
Netherlands 10. 58
Finland 5, Switzerland 10, referring also to a decision of the Supreme Court that left open whether
the place where the server is located could be the locus of the crime. 59
Poland 1, Netherlands 7, China 1 and 2. Germany 3 refers to an explicit provision of Article 9 of the
German Penal Code. 60
Netherlands 8. 61
France 5 and 6, Switzerland 9.
9
There is also broad jurisdiction in Germany, where the offender acts at any place
where he performs an activity with a view to the materialization of the elements of the
offence.62
This may have quite an impact. The National Report for Germany refers to
the “landmark decision of 12 December 2000 (“Toeben”) the Federal Supreme Court
(Bundesgerichtshof, BGHSt 46, 212) found that the crime of “incitement to hatred”
(Volksverhetzung, Section 130), as a crime of “abstract-concrete endangerment”
(abstrakt-konkretes oder potenzielles Gefährdungsdelikt), may be qualified as a
territorial offense (“Inlandstat”) even if the offender physically acted in Australia
only.”63
However, on the other hand it is suggested that given the universal reach of
cyberspace a restrictive approach should be taken with regard to abstract
endangerment offences. The mere fact that data are uploaded in the internet does not
create a territorial link with Germany. It is reported that case law does not as yet give
an explicit answer as to when Germany may be seen as the place where the offence
took its effect.64
With regard to the question whether the national criminal justice system could do
without a determination of the locus, most reporters denied that this could be so,
unless the offence would be one subject to universal jurisdiction.65
The Belgian
Rapporteurs oppose universal jurisdiction as it would increase the likelihood of
conflicts of jurisdiction.66
Whereas in Germany the exact determination of the locus
may not be important in cases of universal jurisdiction, the fact that the locus is
outside Germany does have specific procedural consequences. On the basis of Article
153c Code of Criminal Procedure Germany applies the opportunity principle with
regard to prosecution instead of the principle of legality, that obliges the prosecution
to prosecute all crimes committed in Germany.67
The German report opposes a
location free application of jurisdiction both on theoretical as practical grounds. The
theoretical grounds relate to sovereignty and circumvention of mutual assistance
treaties. The practical reasons to selective choices in enforcement, overburdening of
German authorities and conflicting competences of states.68
The German report states
that the fact that the location of cybercrime may be difficult to determine is not as
such a reason to apply the principle of universality.
In Switzerland, the question of whether universal jurisdiction ought to apply to
cybercrime offences has been debated. The National Report puts it this way: “it has
been argued that the Swiss judge should be elevated to a position of a “judge of
cyberspace” - a space to which the concept of (national) borders is foreign - with
universal competence to try cybercrimes.”69
However, there are currently no
proposals and it is expected that the Swiss case law will rather broaden the existing
jurisdictional principles, as well as the notion of result.70
62
Germany 3. 63
Germany 3. 64
Under German law, for the determination of the jurisdiction it is not relevant where the incriminating
data may be located, what is relevant is where the effects of this data took place. See Germany 4. 65
E.g. Argentina 2. 66
Belgium 3. 67
Germany 5. 68
Germany 5 and 6. 69
Switzerland 21 and 22. 70
Switzerland 22.
10
It is fair to conclude that the most important principle of jurisdiction with regard to
cybercrime is the principle of territoriality. As states interpret territoriality very
broadly and apply it to mean that a crime is committed where its effects are felt, most
offences do not pose any jurisdictional problem.71
There is neither evidence that any
of the other principles play a significant role in practice, nor that it is necessary to
change or enlarge principles of jurisdiction. The fact that in many cases the
territoriality principle is applied, is also relevant for other reasons. As this is the
strongest principle of jurisdiction and its application is undisputed under international
law. However, as I interpret it from the French report, it is a position chosen by lack
of alternative. States are forced to declare themselves competent in a manner that
amounts to universal competence, without saying so.72
On the other hand, by
extending their notions of territoriality and locus delicti on first sight, they evade
potential disputes and quarrels over sovereignty.
Conflicting jurisdiction
States generally have a tendency to prevent that conduct may not fall under the
jurisdiction of any state and have thus increasingly extended the scope of application
of their criminal law.73
Whilst there is little evidence of cases in which states wanted
to claim jurisdiction in practice, but were unable as a result of lacking jurisdiction,
most states have widened their jurisdiction over the years. They intended to solve the
potential problem that there is not a single state able to apply its criminal law to
certain conduct and produced as a side-effect. Additionally, the cross-border nature of
the offence as such has increased multiple jurisdiction. As a consequence of the
practice of widening the extraterritorial application of criminal law, in theory
numerous positive conflicts exist by definition.74
Various questions can be raised as a
result of it. Should this be prevented? Is this problematic? Does this lead to real
problems in practice, or is it in essence an academic problem?75
My conclusion from
the National Reports is that overlapping jurisdiction is currently a huge problem in
theory, but not a real problem in practice among states. It is striking that with the
exception of France very few national Reports mention case law on cyber crime at all,
left alone on jurisdictional disputes. The French Rapporteur draws the attention to a
different aspect of this and refers to the problems that result from the application of
diverging legislation for the citizen, for whom it is impossible to know which norm is
applicable to his conduct: “que tous les droits pénaux du monde sont applicables au
contenu de la communication – quand bien même ils se contrediraient entre eux – et si
71
As the German Rapporteur states, it does de facto lead to universal application of national law, see
Germany 4. 72
France 7, see also Switzerland 22 and 23. 73
I will not use the commonly used term ‘negative conflict of jurisdiction’, which I consider to be a
wrong name tag to the situation. There is no conflict at all when there is no state that has jurisdiction
over certain conduct. In the absence of applicable penal law there is not even a criminal offence. 74
The existence of numerous conflicts of jurisdiction is recognised in all national reports. See for
instance Belgium 2. 75
In a comparative study commissioned by the Netherlands’ Ministry of Justice, Klip and Massa
conclude that there are hardly any prosecutions for crimes with a locus delicti outside a state’s territory.
See André Klip and Anne-Sophie Massa, Communicerende grondslagen voor extraterritoriale
rechtsmacht, Maastricht University 2010 http://www.wodc.nl/onderzoeksdatabase/vestiging-
rechtsmacht.aspx?cp=44&cs=6802
11
l'on présume que tous les acteurs de celle-ci ont connaissance de toutes leurs
prescriptions et sont par suite tenus de les respecter!”76
The Turkish Report states that the jurisdictional principle of complementarity was
implemented to avoid negative conflicts of jurisdiction following the European
Convention on the International Validity of Criminal Judgments.77
According to the
Turkish National Rapporteurs, in the area of cybercrime, positive conflicts pose more
problems than negative conflicts. The Netherlands provide over specific regulations to
deal with solving conflicts of jurisdiction, legislation has been adopted both at an EU
level as at the national level.78
National Reports from EU states refer to Eurojust,79
Framework Decision 2009/948 and occasionally to the 1972 Transfer of Criminal
Proceedings Convention as a mechanism to solve jurisdictional conflicts. In addition,
ne bis in idem provisions are mentioned.80
Italy also refers to Article 22, paragraph 5
of the Cyber Crime Convention that provides for a consultation tool.81
Brazilian law provides for a regulation concerning a positive conflict of jurisdiction in
case of jurisdiction over crimes committed outside Brazil due to obligations from a
convention, as well as jurisdiction over a foreigner who committed a crime against a
Brazilian national outside Brazil.82
In the United States case law has developed rules
on the prevention or settlement of conflicts of jurisdiction.83
In essence, it gives
preference to the state with the strongest link, except contra-indications that would
make it unreasonable.
The absence of any rules relating to solving positive conflicts of jurisdiction should be
regarded as an indication that in practice relatively very few offences are prosecuted
and that, if this happens, it did not attract the attention of another state. There are no
cases reported in which positive conflicts of jurisdiction have led to problems. The
regional systems set up in the EU and the Council of Europe are general for all
offences and do not give specific rules for cyber crime. Cyber crime belongs to the
offences for which overlapping jurisdiction is a specific characteristic.84
Supranational adjudication and sovereignty aspects
Another way to approach things could be that for certain crimes, for which the locus
delicti is difficult to find or crimes that imply concurrent jurisdiction, supranational
adjudication should be provided. The advantage could be that a supranational tribunal
would have the power to solve the jurisdictional conflict in a manner binding to the
states involved. Additionally, a more specialized tribunal and prosecution could deal
76
France 8. 77
Turkey 6. 78
Netherlands 15. 79
Spain 2, Germany 6. 80
Italy 5, Switzerland 20. 81
Italy 5. 82
Brazil 4. 83
United States 4. 84
See Draft Resolution 4: “States should exercise restraint in the establishment of extraterritorial
jurisdiction, with a view to preventing conflicts of jurisdiction rather than relying primarily on their
resolution once they occur.”
12
with specific forms of transnational crime, which go far beyond the possibilities of
national law enforcement authorities.
Except for Turkey, none of the National Reports addressed the issue.85
This is
understandable in light of what was identified above, the absence of an understanding
that overlapping jurisdiction is problematic. It also indicates that it does not appeal to
something that states could not manage themselves. However, the question must be
raised to what extent states may enlarge their jurisdiction without touching upon the
sovereignty of other states. A number of reports refer to the 1927 Locus judgement of
the Permanent Court of International Justice, which is understood to make a
distinction between substantive criminal law jurisdiction and the jurisdiction to
enforce and investigate. Whereas extraterritorial jurisdiction can easily be established,
this is different for procedural elements. In the context of applying their national
criminal law over offences sovereignty is not mentioned frequently in the national
reports. This may relate to two factors: the fact that most states locate cyber crime on
their own territory and the fact that states have the tendency to be less sensitive to an
infringement of sovereignty of others than to their own sovereignty.
Crimes with a transnational dimension
The French report distinguishes between offences that aim to damage the various
cyber systems and the other for which cyber technology is a means to commit a crime
that in theory could also be committed by physical means. This ambiguity explains
the fact that some reporters mention many offences,86
whereas others report that the
definition of offences do not have jurisdictional elements.87
Some state that it is
impossible to list all cybercrimes with an international dimension.88
The Japanese
Rapporteurs observe: “All the cybercrime offences can have a transnational
dimension because the cyberspace does not have a border. However, it does not
necessarily mean that all the cyber crime offences actually have a transnational
dimension: Cyber crime offences can take place also in national dimension.”89
A
similar expression of the multifaceted aspects of cybercrime can be found in the
Chinese report: “It is controversial to say which cyber crime is transnational. Some
believe all cyber crimes are transnational in nature. Some believes the crimes against
the internet information are transnational due to the non-boundary fact of internet;
while traditional crimes with cyber as a tool are not transnational in nature.”90
There is a wide variety of crimes that are reported to have a transnational dimension:91
Child pornography,92
interference with electronic mail,93
illegal access to a
information system,94
unauthorized publication of correspondence,95
disclosure of 85
It should not lead to the creation of a supranational body, Turkey 10. 86
Sweden 2, United States 3 and 6, Germany 7. 87
Argentina 3, Belgium 3, Switzerland 8, Spain 3, with the exception of „child pornography
trafficking”. Japan mentions the exception of Art. 21 (4) of the Unfair Competition Prevention Act that
contains jurisdictional elements. 88
Sweden 2. 89
Japan 3. 90
China 4. 91
Numerous offences are reported from the Netherlands, see Netherlands 10-12, on citation Evert
Stamhuis, National Rapporteur for the Netherlands for Section 1. It is noted that in many cases the
transnational dimension of cybercrimes does not result from the nature of the offences, but rather from
the typical methods of their perpetration (Turkey 8, Netherlands 17). 92
Argentina 3, Turkey 8, Brazil 5. 93
Argentina 3, Turkey 8, Italy 4.
13
secrets,96
offences in relation of data protection,97
electronic forgery,98
demolition,99
interrupting and impeding communications,100
interference with evidence,101
public
defamation of persons/ hate speech,102
denigration of the Turkish nation, 103
incitement of a group of people to animosity against another,104
other crimes
committed through forms of expression,105
intellectual property crimes,106
gambling
and wagering crimes,107
defamation,108
coercion, 109
public incitement to an offence,
110 breach of the sanctity of religion,
111 incitement to war,
112 credit card fraud,
113 all
computer related crimes,114
offenses protecting the integrity of ICT-systems,115
offenses protecting privacy,116
identity fraud,117
offenses protecting against illegal
content,118
offenses protecting intellectual property rights,119
unauthorised obtaining
of data,120
unauthorised access to a data processing system,121
damage to data,122
and
computer fraud.123
In substantive criminal law it can be seen that most states have
constructed the elements of cyber related crime as a variation to crimes based on a
physical act. As a result computer related crimes definitions are still rather close to
crimes of a physical nature: computer theft has a lot in common with theft; demolition
of computer data is similar to demolition of property and hacking looks like
trespassing.
The Italian National Rapporteurs refer to the fact that as a consequence of the
implementation of Article 3 of the Convention on Transnational Organized Crime a
definition of a transnational offence has now found its way into the Italian legal
system: “Therefore an offence is considered transnational if punished at least with
four years of imprisonment and (a) it is committed in more than one State or (b) it is
committed in one State, but a substantial part of its preparation, planning, direction or
94
Argentina 3, Turkey 8, Poland 4, Italy 4. 95
Argentina 3. 96
Argentina 3. 97
Argentina 3. 98
Argentina 3. 99
Argentina 3. 100
Argentina 3, Italy 4, Brazil 5. 101
Argentina 3. 102
Turkey 4, Italy 4. 103
Turkey 4. 104
Turkey 4. 105
Turkey 4. 106
Turkey 8. 107
Turkey 9. 108
Finland 5. 109
Finland 5. 110
Finland 5. 111
Finland 5. 112
Finland 5. 113
Poland 4. 114
Denmark 3, Spain 3. 115
Germany 7. 116
Germany 7. 117
Germany 7. 118
Germany 7. 119
Germany 7. 120
Switzerland 6. 121
Switzerland 6. 122
Switzerland 6. 123
Switzerland 6.
14
control takes place in another State; or (c) it is committed in one State, but involves
an organized criminal group that engages in criminal activities in more than one State;
or (d) it is committed in one State, but has substantial effects in another State.”124
It is
regarded very likely that this definition applies to cybercrime offences. The German
report states “As a rule, the jurisdictional reach of the offenses under German law
unfolds only if the definitions of crimes are read together with the general rules on
jurisdiction.”125
The rule stated in this way can be taken as the rule applicable in all
states. In the end, the jurisdiction over an offence is determined by the general part
together with the relevant offence in the special part.
General part related issues
Also the rules of the general part other than jurisdiction have not been amended as a
consequence of the introduction of cybercrimes.126
It may be assumed that this is also
the rule for the states that did not specifically report on it. This means that there are
states for which participants have their own locus and states where participants follow
the locus of the principal perpetrator. In Turkey it appears that participants have their
own locus.127
In other words, if the perpetrator committed the crime in Turkey and the
accomplice assisted from abroad, the latter is not within the Turkish jurisdiction.
Finland uses a different system: an offence by an inciter and abettor is deemed to have
been committed both where the act of complicity was committed and where the
offence is deemed to have been committed.128
In Italy, a crime is considered as having
been committed in Italy also when only a part of the conduct of one of the participants
occurred in Italy.129
Under Swiss law preparatory acts in Switzerland are insufficient to claim a locus in
that country, at least an attempt must be committed.130
The ubiquity theory also
applies to attempts under Swiss law.131
Concerning participation, the conduct of one
co-perpetrator in Switzerland establishes a place of commission in Switzerland for all
co-perpetrators.132
Instigators, aiders and abettors of result crimes have a locus in
Switzerland. The same conduct in Switzerland with a result abroad is outside its
jurisdiction.133
These rules on participation are also applied, as attempts to regulate
criminal liability for providers have failed.134
As a result, a content-provider may
easily be regarded as perpetrator, whereas access and host providers may qualify as
aider or abettor, provided that they have some knowledge of what is happening.135
124
Italy 5 and 6. 125
Germany 7. 126
Brazil 5, Denmark 3. 127
Turkey 9. 128
Finland 2. 129
Italy 6. 130
Switzerland 10. 131
Switzerland 13. 132
Switzerland 14. 133
Switzerland 14 and 15. 134
Switzerland 26-28. 135
Switzerland 30.
15
For Germany it is relevant that German criminal law also applies to the representative
of a provider, who has its seat in Germany and uploads illegal data.136
Whilst German
law does create responsibilities for legal entities in its Telemedia Act, they cannot be
equalized to criminal liability.137
The legislation differentiates between “content-
provider”, who are responsible for the contents of what they offer and “access-
provider”, who are in general not responsible. The German legislation forms the
implementation of EU Directive 2000/31 on electronic commerce. The broad
application of the rules to representatives may compensate the absence of criminal
liability for legal entities under German law.
Criminal liability for legal entities
On this issue the great divide between states that accept criminal responsibility for
legal entities and states that do not accept this must be noted. Some states
categorically rule out criminal liability for legal entities: Argentina, Turkey, Germany
and Japan.138
Poland seems to be in a middle category as it does provide for
responsibility for legal entities but regards this as quasi-criminal.139
Other states
accept corporate criminal liability: Sweden (on condition that the company is active in
the country), United States (when committed against a protected computer), Finland
(when provided for the specific offence), Italy and Spain (when provided for the
specific offence, several cyber crime offences are listed),140
Brazil (for environmental
crimes only),141
China (for acts endangering society),142
Belgium, the Netherlands,
Switzerland and Denmark accept corporate liability with regard to all offences.143
In Switzerland, “corporate liability plays an important role if one could attribute
responsibility to a host provider through the rules on participation. If a host provider is
not a natural but a legal person, it is still only criminally liable in cases where Article
102(1) Swiss Criminal Code is applicable. This first requires that the responsibility for
the criminal act cannot be attributed to a natural person, e.g. an employee, due to
organizational deficiencies. Second, the provision requires that the offence is
committed “in the exercise of commercial activities in accordance with the objects of
the undertaking”. This requirement ensures that there is a link between the underlying
offence for which the corporation shall be held liable and the activity of the
corporation. Only if these requirements are met can a host provider that is a legal
person be held criminally liable under Swiss law.”144
As a consequence, rules of
attribution of responsibility to providers may have jurisdictional implications and
create a locus in Switzerland. More in general, it seems that in those states that apply 136
Germany 4, referring to Article 14 Penal Code (acting for someone else). 137
Germany 7 and 8. 138
Although provider responsibility is being debated in Japan, see Japan 4. 139
Poland 5. 140
Italy 7, Spain 3. 141
Brazil 6. 142
China 5. 143
However, the Netherlands also provides for an exoneration of intermediaries in the general part of
the Penal Code. Art. 54a is translated as follows: An intermediary, who provides the transmission or
storage of data coming from someone else as a telecommunication service, will not be prosecuted as
such if he obeys a warrant from a prosecutor, issued after authorization from an investigating judge
upon request of the prosecutor, to take all measures that reasonably can be required from him to render
those data inaccessible. Denmark 4, Belgium 4, Switzerland 35. 144
Switzerland 35.
16
corporate criminal liability the factors that attribute conduct of individuals to the legal
entity are exactly the same that establish the relevant connecting link justifying
jurisdiction over the conduct of the corporation.
The diverging regimes on criminal liability for legal entities may cause problems for
international companies with branches in more than one state. Whereas the same
behaviour in one state by one branch may not be subject to corporate criminal
liability, this may be so for another branch in another state. However, one could
question whether this is a situation in which the position of legal entities is much
different from that of individual persons. In the context of the difficulties that we will
later see with regard to investigations and enforcement, it is to be recommended to
create criminal liability for legal entities operating in a transnational setting.145
Legality issues and double criminality
With regard to the question of whether a state could regulate jurisdictional matters on
its own, answers differ tremendously. Some states refer to the threats of cyber crime
and the need to act upon it, and subsequently accept that a state may unilaterally
determine its jurisdictional rules.146
Some suggest that this may be done on the basis
of a treaty.147
Zagaris, reporting on the United States characterizes the views of his
government under the following title: “The U.S. Government Believes It Can
Regulate Cyber Crime on Its Own.”148
The United States believes that in certain
circumstances a crime may be committed within the territory of a state and hence
justifiable by its criminal courts, even though the actor is physically outside the
territory. The Finnish answer to this question is entirely different: This is a matter that
a state cannot regulate on its own. Because cybercrimes do not respect the borders of
countries, harmonization of legislation plays an essential role in the fight against
cybercrimes.149
In the French report it is stated right from the start: “La
cyberdélinquance et la cybercriminalité soulèvent sur le plan juridique des questions
d'autant plus difficiles à résoudre qu'elles affectent une société globalisée. Cette
situation rend a priori la régulation illusoire à un niveau exclusivement national,
territorial. Elle impose donc de mettre en place un cybercontrôle à l'échelle régionale,
voire mondiale.”150
It is clear that the conclusion in the French Report is that a state
cannot effectively regulate and combat such a fluid form of criminality as cyber
crime.151
The Danish Report tries to find the balance between unilateral and multilateral
measures: “Cybercrime offences are transnational by nature. They might be regulated
nationally by isolated domestic legislative initiatives but only with the risk of
145
See to this extent Draft Resolution 11: “States may consider establishing corporate criminal
liability for legal entities with regard to cybercrime.” 146
Spain 3, Japan 4. 147
Sweden 2, Turkey 8, Italy 6, Switzerland 24, 25 and 50. Russia proposed a Convention on
International Information Security on 21 September 2011, containing provisions that would limit
jurisdiction both substantive and procedural to the territory of the state party. 148
United States 7. This is a view shared by Polish law, in particular because it relates to sovereignty,
Poland 4. 149
Finland 9. Also the Chinese report calls for reluctance, China 5. 150
France 3. 151
France 4.
17
unnecessary duplicating legislative work, missing important international links and
complicating mutual legal assistance procedures. ICT makes it particularly important
to enhance international corporation in criminal matters. The nature of the internet
makes it possible for perpetrators to find free havens under the jurisdiction of
countries which do not penalize cybercrime offences systematically, do not maintain
up to date jurisdiction rules, or does not have sufficient extradition agreements or
traditions. Cybercrime and the volatility of electronic data create a need for swift and
sometimes secret procedures. Enhanced mutual assistance rules which often depend
on a double criminality requirement also cause a need for equivalent and harmonised
substantive provisions.”152
A middle position is taken by Germany, that acknowledges
the competence for states to determine their own jurisdiction. However, cybercrime
offences are not of such a severe degree, comparable to genocide and crimes against
humanity, that they would qualify under international law. A treaty would be an
option.153
The Italian Report points at an important issue that complicates unilateral application
of jurisdiction: “In relation to minor cybercrimes there may be some obstacles to such
a system, double criminality being the most striking one. What if a criminal conduct
in one State constitutes the exercise of a legitimate right in another State? The balance
between conflicting interests can be done only at national level and cannot be imposed
over a foreign State and its authorities.”154
This observation in essence relates to the
application of the principle of legality. Also the Swiss report expresses a concern
relating to the freedom of speech and political rights.155
Conclusion
Surprisingly, the picture that emerges is that states do not face difficulties in
extending and applying their jurisdictional principles on modern phenomena of
criminal activity. The problem/ frustration seems to lie in the impossibility to bring
perpetrators to justice. As stated in the Swiss report: “In addition to harmonized rules
on the level of substantive criminal law, which are then implemented by domestic
law, it is necessary to have adequate tools for international cooperation in the
prevention, detection, investigation and prosecution of cybercrimes.”156
There are various issues at stake here. The first is whether states have the competence
to determine their own jurisdiction over offences. The prevailing views are that this is
the case. There is no rule under international law that prohibits this. As most states
currently apply the territoriality principle to locate cyber offences within their borders,
the potential for disputes is theoretically rather limited. With the application of
principles other than territoriality most states apply a double criminality requirement.
Most jurisdictional principles, apart from the universality principle, do require that the
conduct must also be criminalized according to the law of the place where it was
committed. The justification for it lies in the requirements of legality.157
For Turkey
152
Denmark 3. 153
Germany 6. 154
Italy 15. The same question is explicitly raised in other reports, see Denmark 2, Belgium 2, Japan 3. 155
Switzerland 50. 156
Switzerland 25. 157
It should therefore not be abolished, Spain 3.
18
only if no locus can be established in the country, the determination of the locus is
relevant in view of the double criminality requirement.158
The consequence is again
that the offence must be located and we saw already that this may be difficult. When
states apply other jurisdictional principles than territory and require double
criminality, the interests protected by the legality principle are not in danger. It may
be expected from the perpetrator to know the law of the locus.159
It is interesting to see that in the context of cyber crime, it is the territoriality principle
that gives rise to concern.160
Depending on the type of the offence, the question must
be raised whether the perpetrator was able to know the forbidden norm. In other
words, we must analyze what the legality principle requires in this setting. When
applying the territoriality principle, states may argue that those who commit an
offence on their territory must know the applicable legislation. However, with the
wide interpretation of the territoriality principle perpetrators may commit crimes
elsewhere without being present on the territory. This must lead to the additional
requirement that a perpetrator must be able to know that his conduct may cause
effects elsewhere. States are inclined to accept that there is jurisdiction when the
perpetrator wishes to reach that state. It is unclear whether there is jurisdiction over
perpetrators who gave access to content that can be accessed from other states as well.
We must therefore deal with this issue now.
The situation that is of concern to us relates to a perpetrator performing conduct
abroad, causing effects in the state claiming jurisdiction. It is relevant to make a
distinction here, depending on whether the perpetrator aims at creating effects in the
territorial state. At first sight, it seems to be logical to regard it foreseeable for the
perpetrator that a certain prohibitive norm is applicable, if it is his aim or intention to
damage the computer of a specific individual, to attack a specific banking system and
so on. A similar approach can be taken by content related offences send to a specific
individual. With insults and hate speech sent to a specific individual there is an
expectation that it causes effects there. The question must be raised whether what has
been stated thus far with regard to individual victims would also apply in situations in
which the perpetrator may be unaware of their identity or domicile. Territorial
jurisdiction could be justified on the basis of the perpetrator being indifferent as to
whom and where the effects would occur.
Then the situation in which the perpetrator does not send anything, but provides
content that falls within the criminal legislation of a state from which individuals may
have access. This could relate to the language or opinion used, which might violate
provisions on insult, hate speech, political freedoms. It could also relate to national
rules on morals and religion. The content may be regarded as porn or otherwise
violate sexual morals. The content may amount to blasphemy. In these cases the claim
for territorial jurisdiction on the basis of effects in the state does not seem to be
justified as the actor complies with the penal law of the state where he produces or
holds the content. Allowing the state who criminalizes this content to apply its penal
158
See Turkey 3. 159
A critical remark to this could be that even for the perpetrator it may be difficult to know where he
acts! 160
Despite this it should remain the primary principle. See Draft Resolution 3: “The principle of
territoriality remains the primary principle of jurisdiction also in cyberspace.”
19
laws would lead to the lowest denominator making the rules and seriously infringe
upon the political freedoms and human rights of individuals.161
Should this be different if the website is accessible only in the language of the
territorial state? I do not think so. As long as it is a free choice of those in the
territorial state to browse to the website and as long as they will not be confronted
with the content unsolicited, the interests of the territorial state are not really
harmed.162
To hold the opposite would mean that a state could impose its legislation
on the globe.163
The distinctive criterion of effects produced in a state should therefore
be added with the question whether they were unsolicited or not. Individuals that pull
(download) content in the territorial state may be subject to its legislation as they
possess the illegal content there.164
3. Investigations in Cyber Space
In this paragraph we will analyze to what extent states can investigate in the cyber
world without the necessity of applying mutual assistance from another state. In other
words what can they do on their own? Where do they draw the line and on which
basis? It will be looked at all investigative measures, regardless of whether it relates to
intelligence, obtaining a position of information, or evidence to be used in criminal
proceedings. Like with matters of jurisdiction, also with regard to investigation in
cyberspace the localization of information or evidence play a crucial role. A first
observation is that whereas it is commonly accepted that states may apply their
criminal law over conduct in other states, international law does not allow a state
having jurisdiction to collect evidence in another state on its own. This does not seem
to be logical.
Preliminary: expertise and the limits of technology
Where technology plays a decisive role, the technical possibilities may determine the
legal developments and possibilities. This phenomenon may lead to highly interesting
theoretical questions about where the primacy for the development of the law should
be. Does Microsoft determine how, whether and when investigation are conducted?
Some states and international organizations possess satellites or other devices that
enable them to have a clear and detailed picture of every place in the world. Should
the law regulate the use for purposes of criminal investigation and prosecution? If so,
161
Draft Resolution 5 reads: “With the exception of those crimes for which universal jurisdiction is
accepted under international law, a state may not apply universal jurisdiction de facto or de jure in
cases of prohibited content in cyberspace.” 162
Draft Resolution 8 reflects that a particular nexus must be required: “In determining effects, states
shall consider the existence of a particular nexus with the offence, such as the intent of the perpetrator.” 163
This is expressed in Draft Resolution 9: “When a state localizes the effects of an offence within its
borders, the principle of legality requires that the perpetrator could have had a reasonable expectation
that his or her conduct would cause effects in that country.” 164
See Draft Resolution 10: “A state may exercise its jurisdiction over an individual on its territory
who “pulls” content that is prohibited under its own legal system, even though it is legal under the legal
system of the producer.”
20
on which level should this be regulated, national or international and what are the
issues at stake?165
Apart from the hard ware and soft ware that make up the virtual world, those who
investigate must have the knowledge to do so. It is reported that there is a strong need
for expertise in investigating cyber crime.166
The Netherlands have taken quite a
number of initiatives to build up expertise amongst its law enforcement agencies and
the judiciary on cyber crime and information society.167
France has specialized and
centralized its contact points concerning the exchange of information related to
cybercrime.168
Whilst Turkish law does provide for the interception of telecommunication, it has
limited this possibility to certain crimes. Cyber crime is not listed as such.169
For
Turkish law it is relevant whether a user of telecommunications is found on its
territory. Turkish law does not allow for searches with remote access.170
Interception
of data is only possible if the providers are in Turkey. The Netherlands have a
panoply of provisions to intercept telecommunication and the transfer of data in many
circumstances.171
Many states limit these methods of investigation to more serious
forms of crime,172
as they infringe severely on the right and expectation to privacy. If
the IP address of the computer is abroad, international assistance must be requested. If
the provider is abroad, and also does not have any branch in the country, the
Netherlands cannot apply its competences directly.173
Under German law, authorities
may not access data located outside the country, unless on the basis of a assistance
request.174
An exception is made for publicly available (open source) stored computer
data. The obligation for providers to cooperate with the investigatory measures in the
sense that they must have the technique and intercept in practice has been regulated in
the Telecommunication Surveillance Regulation.175
On the basis of this legislation,
the interception may not continue if it is identified that the destination computer/ cell
phone is abroad, unless the communication to be intercepted can be connected to a
computer or data storage in Germany. German law does not allow for discrete online
searches.176
Localising revisited
Most states apply the rule that the location where information is held determines
whether national legislation is applicable. For those states localizing the information
is very relevant. In the Swiss report it is stated that the police may do on the internet
165
It reminds us of the “telescreens” predicted by George Orwell in his famous novel 1984. 166
Turkey 11. 167
Netherlands 52-53. 168
France 30. 169
Turkey 18. 170
Turkey 18. 171
Netherlands 23, likewise Italy 8, Denmark 4, France 18-22 and Germany 10-12. 172
E.g. Japan 5. 173
Netherlands 29, similarly Denmark 5. 174
Germany 10. 175
Germany 12. 176
Germany 12.
21
anything that would be equal to a police patrol in the real world.177
Many report that
no legislation exist on the search of websites or computers located outside the
country,178
however applying a principle of free evidence it is possible to make use of
publicly accessible sources.179
This is a rule that apparently many states apply and
derives from Article 32 of the Convention on Cybercrime.
In the context of the information society and obtaining information and evidence for
purposes of criminal investigation various situations deserve attention, presumed it is
still possible to locate information and evidence: 1. Open information and evidence.
This is information which is publicly accessible simply by surfing through the net.
2. Protected information. Information which cannot be publicly accessed, but which
may be accessed by hacking. 3. Information and evidence that require to take over a
computer or network located in another country. With regard to the first category,
publicly accessible information, the location of the content is irrelevant as long as it is
publicly accessible without further ado. For the Netherlands, it seems that Article 32
of the Convention on Cybercrime sets the boundaries. This is interpreted as that
publicly accessible information may be searched, regardless of the location where the
data is stored. In addition, consent of the person or organization entitle to disclose
may be obtained.180
There is case law accepting the use of pictures derived from
google earth. It is reported that the Minister for Security and Justice is drafting
legislation that would enable the police to search systems without consent of the
owner. It is reported that in cases of decrypted data transfer a decryption-order ought
to be possible. The Netherlands are considering to create a legal obligation to that
extent. The National Rapporteur for the Netherlands supports such searches.181
This is
already the practice in France, where electronic infiltration is possible.182
The Turkish
report proposes three different standards depending on the character of the
information: open information, protected information and remote take-over of a
computer. The first does not require permission, whereas the other two do.183
The
spatial distance between the perpetrator and the victim is an element inherent to cyber
crime.184
Belgium has special legislation “in the specific context of information systems,
reference must be made to article 88ter CCP, authorizing – under certain conditions –
the extension of a search ordered by the investigating judge in an information system
(or a part thereof) to an information system (or a part thereof) located in a different
place than where the search physically takes place, to the extent that the persons
mandated to use the original information system to which the search pertains, have
access to the information system (or part thereof) located in the different place. Unlike
when the data accessed in this way appear to be located on Belgian territory (in which
case the data concerned can not only be seized, copied, blocked, made inaccessible
and even removed on the basis of article 39bis CCP), data located abroad may only be
copied, in which case the competent authorities of the foreign country (provided that
the latter can be reasonably identified) will be informed thereof through the Belgian 177
Switzerland 42. 178
Sweden 3, Poland 7. 179
Brazil 9, Spain 10. 180
Netherlands 34. 181
Netherlands 36. 182
France 22 and 23. 183
Turkey 21 and 22. 184
Turkey 11.
22
ministry of justice. Finally, accession of publicly available information is considered
unproblematic.”185
Article 706-102-1 of the French code of Criminal Procedure
allows to investigate into data, regardless of where the data is held, without
permission of the owner or provider.186
The picture that emerges is that it is not decisive where the data is actually located as
long as it concerns publicly accessible information in use for investigation. Some
states draw the line with the need to make use of coercive measures and others make
the distinction on whether the information obtained or accessed will be used as
evidence. Investigations that do not require coercive measures may be performed
without mutual legal assistance.187
With regard to the collection of evidence, the
determination of the place where the evidence is stored is relevant for some states,188
but not for other.189
In some states is necessary to know where the evidence is stored
to be admissible.190
In both cases, it means that the information must be localized and this is where it gets
difficult. Again, also in the context of the location where data actually is, problems
arise as much data is in the clouds and may be moved from one server to another,
depending on the availability of space in interconnected servers. Files may be stored
in copies and parts at different servers. The system itself will then, depending on the
amount of data, determine where storage is most efficient and move data to such a
server.191
Even cloud providers may not at all time know, where (their) data is. It is
apparent that this highly complicates the investigation into and the seizure of the
material. Approached in a classical manner, it could mean that by the time law
enforcement agencies have obtained the permission to search a server, the data in
question may have been automatically moved to another unknown location.
In the German National Report the determination of the location of data is described
as crucial, but also very difficult: “A major practical problem concerns the fact that it
is often difficult to determine where a specific information is located. For instance, a
seizure or a data query concerning information located on a server outside Germany
would be illegal since this would violate the sovereignty of the state where the server
is located.”192
An example of that relates to the interception of wireless
telecommunication. If two persons converse by making use of cell phones, it may
involve six states.193
Should all these states have a say in whether conversations may
be intercepted? If so many states have sovereignty over such an investigation, it must
be stated that the individual claim of a state to sovereignty is rather weak.
The generally applicable rules on the search and seizure of recordings laid down in
the Swiss Criminal Code are applicable to e-mail communications. This means that a
search and seizure on a server located outside the country, must be performed by the
185
Belgium 6 and 7. 186
France 21 and 22. 187
Sweden 2, Denmark 6. 188
Netherlands 9, Italy 3. 189
Denmark 2. 190
Argentina 2. 191
Koops and others, p. 7. 192
Germany 4. 193
Gert Vermeulen, Wederzijdse rechtshulp in strafzaken in de Europese Unie, dissertation Gent 1999,
p. 224-293.
23
local authorities.194
Swiss law provides the surveillance of internet telephone
conversations.195
However, the legality of the various possibilities is uncertain.196
For
law enforcement agents it is almost impossible to meet the demands. On the one hand,
they may not use their own coercive means when the data is located out of the
country. On the other, it is often impossible to locate data. This brought Geist to raise
the million dollar question of Is there a there there?197
Other challenges listed by the Belgian National Rapporteurs: ˝Additional issues,
brought about by technological advancement, concern mostly the possibility for
(potential) offenders to remain undetected. Pre-paid SIM cards, which require no
registration, allow for perpetrators to make phone calls which are untraceable, a
phenomenon that completely undermines any regulation concerning interception of
telecommunications. Equally untraceable is internet use through hot spots using
alternating IP addresses, e.g. in airports. VoIP, also known as voice over IP, allows
telephone calls using the internet. When using VoIP from a hot spot, these
conversation may well remain impossible to trace. Furthermore, detection on the
internet can easily be dodged, especially by using the Tor Browser, but also by simply
installing an IP-shielder. Even using the “incognito-mode” readily provided by
Google Chrome is rendering law enforcement more difficult. Other challenges,
because largely unregulated, are cross-border observation through camera use, spy
drones and environmental taps (from a distance, e.g. through laser measuring of
window vibration and deducting voice from that).˝198
States have developed practices to compensate the problems that might result from the
difficulty to locate where data is stored. The National Rapporteur for the United States
expressed it this way: “The United States, like other countries, takes the position that
it can use its own legal mechanisms to request data from any cloud server, located
anywhere around the world, so long as the cloud service provider is subject to US
jurisdiction — that is, when the entity is based in the United States, has a subsidiary
or office in the United States, or otherwise conducts continuous and systematic
business in the United States.”199
Other states also impose obligations on providers. In practice it is reported that seizure
will be performed at the provider, in order to prevent that information will not be
traceable (cloud computing).200
Italian law allows for the interception of cell phone
194
Switzerland 39. 195
Switzerland 41: “The Swiss Government submitted a draft law to the Parliament in February 2013,
which aims at introducing a legal basis specifically regulating the use of spyware for law enforcement
purposes. According to this draft, the use of GovWare shall, subject to certain criteria, be permitted to
intercept the content of a conversation and traffic data for the investigation and prosecution of certain
particularly grave offences listed in the law, but not for purely preventive purposes. At the same time,
online searches and the surveillance of rooms with microphones or cameras is prohibited by the draft
law.” 196
Switzerland 40 and 41. 197
Michael A. Geist, Is there a there there? Toward Greater Certainty for Internet Jurisdiction, Berkely
Technology Law Journal 2001. 198
Belgium 10. 199
United States 10 and 25. 200
Argentina 2. See also Draft Resolution 14: “States should consider establishing, under national law,
an obligation on service providers to cooperate with law enforcement agencies, by making data
transfer in the cyberworld traceable, giving access to passwords, decrypting content or installing search
devices for investigative purposes. This obligation is subject to the principle of proportionality.”
24
conversations if the provider is Italian, if the owner (caller/ recipient) of the one of the
cell phones involved is an Italian, regardless of where the provider or satellite is
located.201
In such a case there is no need for international legal assistance. It must be
possible to submit a provider to the factual jurisdiction of the state in order to
intercept telecommunication.202
The National Rapporteurs for Spain state that the
Spanish legislation is completely insufficient as it, due to a constitutional
understanding of the right to privacy of communications, only provides for
interception of telephone, but not for other modalities of telecommunication.203
Self service
States continue to have rather strict rules prohibiting the physical presence of foreign
law enforcement agents on their territory.204
Do these rules apply in the context of the
cyber world that create a virtual reality? Do these rules also apply when law
enforcement agents do not physically enter the territory of another state, but search in
networks or computers located in another state.205
Do the same rules apply and if so,
how do they apply? If the rules prohibiting physical presence do not apply, why is that
so?
In this context it is relevant to refer to a unique provision in the Swiss Penal Code:
foreign officials carrying out investigations in Switzerland, must be authorized by
Swiss authorities. Otherwise, such investigations may amount to criminal conduct,
notably violating Article 271 Swiss Criminal Code criminalizing unlawful activities
on behalf of a foreign State. The criminalization under Swiss law may be unique in
the world. That is not the case for the prohibitive rule that it indicates under
international law. It is undisputed that states may not operate extraterritorially, unless
the local authorities permit that. A definitional problem may arise here, as it can be
debated whether a police officer sitting in his office in his home state is downloading
data from a computer or server located abroad is operating extraterritorially.206
Extraterritorial investigations require permission of the state on whose territory this
will be performed. Self service is not permitted.207
Finland reports that extraterritorial
investigations are regulated in the Coercive Measures Act.208
However, in Denmark it
is reported that the Danish Supreme Court has stated that search of a Facebook and
Messenger account is legal even though the information is stored on a server in a
foreign country. The actual search was conducted on the basis of investigations by
Danish authorities and legally obtained information (passwords obtained via
interception of telecommunication) that was related to a crime subject to Danish
201
Italy 9. 202
Argentina 5, Turkey 12. 203
Spain 4. 204
Police officers may only enter another country and perform their duties if this finds a basis in a
codified international agreement or on the basis of ad hoc permission. The use of coercive measures is
generally ruled out. With minor exceptions, such as the apprehension of a fugitive in the case of a cross
border hot pursuit. See, e.g. Article 41 of the Convention Implementing the Schengen Agreement. 205
The Japanese Report states that the collection of public information does not infringe upon the
sovereignty of another state, see Japan 8. 206
Switzerland 46 and 47. 207
Turkey 21, Italy 11, Brazil 8, Germany 13. 208
Finland 7.
25
jurisdiction, and the search was conducted without the involvement of foreign
authorities.209
Many states report the possibility of setting up joint investigation teams.210
It is also
referred to Articles 40 and 41 of the Convention Implementing the Schengen
Agreement that allow for cross border pursuit and infiltration.211
All these examples
relate to physical presence of authorities on the territory of another state. Germany
refers to Article 89 of the Treaty on the Functioning of the European Union, which
reads: “The Council, acting in accordance with a special legislative procedure, shall
lay down the conditions and limitations under which the competent authorities of the
Member States referred to in Articles 82 and 87 may operate in the territory of another
Member State in liaison and in agreement with the authorities of that State. The
Council shall act unanimously after consulting the European Parliament.”212
Whilst
the Treaty of the Functioning of the European Union does give a mandate to legislate
on this issue, thus far no initiative has been taken. Article 32 Convention on
Cybercrime is considered to give such a permission under international law. The
Belgian report further proposes to allow for self service if the requested state cannot,
for capacity reasons, comply with the request for assistance.213
The Netherlands have generally applicable legislation on extraterritorial
investigations. Article 539a of the Code of Criminal Procedure gives law enforcement
authorities of the Netherlands the same powers and competence abroad as within the
country, provided that this is not contrary to international law.214
Chapter 13 of the
Guidelines for Criminal Investigation on the basis of the Japanese Code of Criminal
Procedure also declares the Code applicable outside Japan, provided that the other
state accepts it. A logical consequence is, as reported in the National Report from the
Netherlands that there is case law in which the court did not accept that police officer
logged into an email account without a positive answer to a request for international
assistance to the United States in case of Microsoft Hotmail.215
This is seen differently in the United States. The National Rapporteur states that the
US has at least nine different methods of coercion to obtain evidence located abroad,
to obtain testimony from witnesses located abroad, and to secure the transfer of
private assets to the US.216
The methods used by US authorities are often challenged
by the person whose information is sought, as well as by foreign courts. The United
States has a practice of providing itself with the assistance it needs. There is no
legislation that governs the issue.
Analysis
The foregoing demonstrates that states try to make use of the investigative powers
they may have under their own legal system for investigations on their territory. Like 209
Denmark 5. 210
Poland 7, Italy 11, Spain 10, France 16. 211
France 16. 212
Germany 13. 213
Belgium 9. 214
Netherlands 33. 215
Netherlands 35. 216
United States 25 and 26.
26
with the substantive criminal law jurisdiction we see that states are inclined to locate
things within their territory. This is reflected in attitudes in which states do not ask for
mutual assistance if it is uncertain where the data is held and in situations that they
demonstrate that they are not really interested in knowing where information is. States
have also expanded their investigations to the publicly accessible web and it seems
that the line is drawn where coercive methods of investigation are used or evidence is
needed. What to think of this development?
A first observation is that this is not paralleled with a similar development with the
physical presence of law enforcement officers in another country. This is logical to
the extent that the infringement upon sovereignty is certainly less. One may even
question whether there is an infringement of sovereignty of another state if law
enforcement agencies search at the publicly available worldwideweb. Why would the
sovereignty of a state that is unable to apply its legislation to a certain situation be
infringed only because another state wishes to do something? What is state
sovereignty in the context of cyberworld?217
The rules that are stipulated in this regard are rationalizations of sovereignty,
following the patterns of physical presence. However, the question must be raised
whether this makes sense. Which state is involved when the web is browsed? This
may change from moment to moment. States may not even know that and when they
had sovereignty over something. If states are so concerned about their sovereignty,
they should do much more to protect it. Sovereignty relates to the competence to
determine the rules applicable on your territory with the clear goal of protecting the
interests of your residents and the state itself. Residents have a claim and are entitled
to expectations from the state where they live.218
It is a kind of social contract that
their rights will not be infringed upon, unless provided for by the law of the state
protecting them.
What are the legitimate expectations of a citizen of the www? No state owns the
www, no state guarantees that its legislation is always applicable and may be even
more important: states are unable to give citizens of the internet the protection they
may need. A claim of sovereignty requires the power to enforce it, if necessary by
force. States are too weak do so, the worldwideweb is a shared responsibility of the
community of states.
To regard the cyber world as an area in which states share sovereignty has several
consequences. Citizens can do what they want as long as they do not infringe upon the
rights of others, but the same goes for the law enforcement agencies.219
To formulate
this in concrete terminology, law enforcement agents are entitled to search the internet
if they are entitled to do so under national law if all aspects would be within the
borders. If this includes the production of evidence (a report of what they saw or read/
217
See Draft Resolution 12 on this issue: “The responsibilities of a specific state for violations of
human rights should be decided after a finding of a violation and not as a condition for admissibility of
a complaint with supervisory mechanisms.” 218
Draft Resolution 15: “All persons are entitled to the protection of a national legal system, if there is
a legitimate expectation of protection by that system.” 219
Draft Resolution 13: “Law enforcement agencies, in the same way as citizens, have the right to
navigate the free IT networks without permission from providers, and regardless of where the content
looked at is stored.”
27
a sample of content) without coercive means,220
there does not seem to be an
impediment to use it as evidence,221
as there is no expectation of protection. In this
argumentation, the dividing line is where there is a legitimate expectation of
protection. This could relate to a search of a server, a search of a computer, a remote
take over of a personal computer, an infiltration undercover in a discussion group and
the like.
Who or which state must give the protection then? That can only be the state that has
the power and the obligation to protect. If I make use of my pc, it is my home state
that I expect to protect me against foreign authorities to take over my computer. This
example demonstrates once again that localization is important. I have a legitimate
claim of protection because both my computer and myself are in the country. If this
view is correct, it is to be recommended that with other situations (data in the clouds)
the place where it is held is determined. Citizens that want to be protected have an
interest in localizing. If localizing remains difficult, it is easy to predict that states will
resort to unilateral means (in the absence of international agreements). An
international agreement on investigation collecting of evidence and enforcement is
necessary to bring cyber space under the rule of law. This is a most urgent matter as it
may be expected that further technological advancement will increase possibilities to
investigate with extraterritorial effects. In the future states will de facto be able to do
more on their own.
4. Mutual Assistance in Criminal Matters
In the previous paragraph we looked at the extent to which states can regulate things
on their own and apply the investigative techniques available on the basis of their own
legislation. It was identified that states must do something to bring cyber space under
the rule of law and prevent that mutual assistance will be bypassed by self service. In
this paragraph we will look at the consequences that the technical developments have
for mutual legal assistance in criminal matters.
The first observation to make is that states reportedly did not change their legislation
on mutual assistance in criminal matters. The French report establishes that as such
cybercrime did not change the general characteristics of the French law on
international assistance. This means that the rules applicable before the advent of
information society and cyber crime are not altered. The basics remaining that the
requesting state sends out a request to the requested state, which will examine it and
then execute it or refuse it, when applying grounds for refusal. Grounds for refusal
remain in place.222
States do report that a wide variety of new investigative techniques
are introduced, that allow law enforcement agencies to investigate in the modern
220
Draft Resolution 17: “Regardless of the nationality of the person in question, no state may apply
coercive measures in another state, unless permitted by the territorial state.” 221
Draft Resolution 16: “States may, subject to national law, freely use evidence that they find on
publicly accessible IT networks.” 222
It is interesting to see that the Convention on Cybercrime completely follows the classical principles
of international cooperation in criminal matters: a request send by one state to another to render
assistance. The nature of international assistance has not been changed by the emergence of
cybercrime, see Brazil 6.
28
world.223
Whilst cybercrime did lead to some specific provisions concerning new
investigatory techniques, these did not change the nature of the legislation.224
Germany may assist other states with the interception of telecommunication on the
basis of its legislation on international assistance in criminal matters.225
It may do so
with and without treaty basis. However, this country did conclude several bilateral
and multilateral conventions that further specify the conditions under which this
assistance may be given. In addition, it is referred to Framework Decisions 2003/577
on orders freezing property and evidence and 2008/978 on the European evidence
warrant.
Despite the fact that Italy has not yet ratified mutual legal assistance conventions that
specifically deal with interception of telecommunications, it does offer assistance in
this area.226
Also Spain reports that, except for the 2000 EU Mutual Assistance
Convention, it has not concluded conventions that specifically deal with it. However,
interception can be offered to other states on the basis of general clauses in mutual
legal assistance treaties.227
General grounds for refusal apply.228
The introduction of
these new techniques did not as such change the rules of international cooperation.229
What emerges from the national reports is that the information society has confronted
states with a new challenge caused by the speed at which life in the virtual world
goes.230
The German Rapporteur’s analysis is that the changes to mutual assistance
brought about by modern technology are multifarious. On the one hand offences
committed by making use of modern technology, they almost have a transnational
dimension by definition. As a consequence of the territorial limitation of the activities
of law enforcement authorities, they are obliged to request assistance from abroad.
The fluidity of data in conjunction with the time consuming nature of assistance
procedures is problematic. On the other hand, the development of modern technology
has contributed to new methods of investigation and created the possibility of
electronic transfer of documents between state authorities.231
The importance of the speed is also recognized in the words of the Swiss reporters: “A
considerable amount of time may elapse between a request for mutual assistance and
the issuance of a final and binding surveillance order in mutual legal assistance
proceedings. This long duration stands in stark contrast to the fast-paced nature and
fluidity of electronic data, which can be moved across borders within seconds and is
often not stored over a longer period. Hence, such data may no longer be available at
the conclusion of mutual assistance proceedings. Hence, electronic data differs from
“traditional” pieces of evidence, which generally persist in time and are not as easy to
223
Draft Resolution 18: “States should implement the necessary investigative techniques that enable
them to provide mutual assistance in respect of cyber offences, on the basis of the proportionality
principle.” 224
France 17, Switzerland 36 and 37. 225
Germany 10 and 11. 226
Italy 9 and 14 and Brazil 7. 227
Spain 5-10. 228
See also Germany 12, France 17, Japan 6. 229
A few exceptions to this will be discussed later. China would welcome an innovation of the rules of
mutual assistance, China 7. 230
Japan 4. 231
Germany 9, Switzerland 37.
29
move from one location to another.”232
Swiss law therefore provides for a provisional
order to seize traffic data, which is followed by a formal mutual assistance procedure
before the information obtained is transferred to the requesting state.233
Obtaining an information position234
It is the speed with which things go that has forced some states to build up and to
maintain their information position. Without these measures information would have
been lost, or the exchange of information could not fulfill its function in preventing
crimes to occur. In essence this relates to a new dimension to the purposes of criminal
investigations and mutual assistance. Whereas in the past information and evidence
were needed to respond to offences occurred in the past, nowadays the exchange of
information often relates to the prevention of future offences and to preserve evidence
of offences that will be committed later.235
Especially as part of a package of measures related to combating terrorism, states are
eager to obtain a good information position in order to prevent terrorist attacks or
other crimes from taking place. Given the use of air traffic in the past, as a means of
terrorist attacks, states have given priority to have more knowledge on passengers and
on freight. Regarding passengers, so called Passenger Name Records agreements have
been concluded.236
Also in other areas, such as financial transactions and visa matters,
data are exchanged. These agreements are not without criticism, especially with
regard to their potential to infringe upon privacy and data protection rights.237
We must be aware of the fact that we are entering here the sphere of privacy law.
Whereas on the hand, it should be prevented that the focus of our discussions should
be on the elements of the protection of privacy, it is, on the other hand, inevitable that
some elements of privacy law will be discussed. To what extent will the data be
exchanged for criminal investigation and on which legal basis? To what extent does
the person involved have the possibility to prevent/ correct/ delete information? To
what extent can exchanged information be used as evidence?238
The United States has concluded agreements on exchange of PNR data, SWIFT data
and Visa data. The United States has an on-call unit available on a 24/7 basis. This is
232
Switzerland 43. 233
Switzerland 43 and 44. 234
It is referred to the definition given by Hans Nijboer, General Rapporteur to Section III: “The
existence and the use of enormous amounts of operational information is sometimes referred to as the
information position of investigative and prosecutorial authorities.” 235
Draft Resolution 21: “Information obtained through mutual legal assistance for investigative
purposes may, subject to national law, be used for evidence.” 236
The EU concluded agreements with the United States and with Australia on this matter. See Council
Decision 2010/16/CFSP/JHA of 30 November 2009 on the signing, on behalf of the European Union,
of the Agreement between the European Union and the United States of America on the processing and
transfer of Financial Messaging Data from the European Union to the United States for purposes of the
Terrorist Finance Tracking Program, OJ 2010, L 8/11. 237
France 31 and 32. 238
In the EU context, a special legal instrument has been adopted regulating the data protection rules in
international cooperation in criminal matters. See Council Framework Decision 2008/977/JHA of 27
November 2008 on the protection of personal data processed in the framework of police and judicial
cooperation in criminal matters, OJ 2008, L 350/60.
30
also the case for the Member States of the European Union, except for Denmark.239
France concluded bilateral treaties on exchange of information between police
authorities, with among others, Serbia.240
Switzerland concluded various conventions
in this respect with the United states, Canada and established links with Europol and
Sirene.241
A further recent development is the establishment of supranational databases and the
online consulting of each other’s databases. An example of that relates to the EU, in
which some Member States have established a mechanism to retrieve data on DNA,
licence numbers of vehicles and finger prints directly from another Member State.242
Several EU states report that a practice has developed.243
Also other data, such as visa
data, custom information, judicial records and child exploitation tracking system may
be accessed and used. One of the consequences is, that the state whose data is used, no
longer is requested to give information and does not take a decision in individual
cases to do so. It also means that grounds for refusal are no longer considered and
applied in the initial stage of information exchange.244
The information that a Member
State was able to see may only be used as evidence after permission of the Member
State that inserted it into the system. Is this a good development? Within the EU
further plans have been developed to create direct access to the criminal records of all
Member States.245
The developments identified here are predominantly European and
United States. The EU has also concluded several agreements on exchanging data
concerning financial transactions: as mentioned with the United States, and with
Switzerland and Japan.246
In addition, it has adopted Decision 2008/633 that gives
Europol access to the Visa Information System. It seems that in the United States a
difference is made between information to be admitted into court and intelligence.
The first requires a formal request, the second can be complied with more easily via
direct consultation.247
All reporting states participate in Interpol. Most states participate in Europol. The
Netherlands report that the European Union has taken the initiative to set up the
European Cybercrime Centre EC3, which has its seat at Europol headquarters.248
Japan and 14 other Asia-Pacific countries participate in the Cybercrime Technology
239
Denmark 6. 240
France 30. 241
Switzerland 48 and 49. 242
Council Decision 2009/1023 of 21 September 2009 on the signing, on behalf of the European
Union, and on the provisional application of certain provisions of the Agreement between the European
Union and Iceland and Norway on the application of certain provisions of Council Decision
2008/615/JHA on the stepping up of cross-border cooperation, particularly in combating terrorism and
cross-border crime and Council Decision 2008/616/JHA on the implementation of Decision
2008/615/JHA on the stepping up of cross-border cooperation, particularly in combating terrorism and
cross-border crime, and the Annex thereto, OJ 2009, L 353/1; Council Decision 2008/615/JHA of 23
June 2008 on the stepping up of cross-border cooperation, particularly in combating terrorism and
cross-border crime, OJ 2008, L 210/1. 243
Finland 8, Poland 8, Netherlands 38, Italy 11. 244
However, the relevant legal instruments stipulate that if the information is to be used as evidence, a
regular request for international assistance must follow. 245
Council Framework Decision 2009/315/JHA of 26 February 2009 on the organisation and content of
the exchange of information extracted from the criminal record between Member States, OJ 2009, L
93/23. 246
Germany 15. 247
United States 37. 248
Netherlands 20. See also Belgium 8.
31
Information Network system, that was established in 2001.249
Almost all states report
that they have a 24/7 availability for requests for exchange of information and
assistance.
Problems do not seem to occur in situations in which mutual legal assistance is
requested. An example is given in the United States’ Report. The US believes that its
interests are sufficiently protected by the existing grounds for refusal. As US law
provides for a series of measures of intercepting telecommunication, it is also possible
to make use of these on request of a foreign authority. However, the US can only
accommodate requests for assistance of the interception of communications of these
were independently authorized as part of a related or parallel investigation in the US
and disclosing the contents of the intercepted communications were otherwise
appropriate.250
This means that there must be a US judicial order.
Double criminality is required for some requests relating to evidence in some states.251
In other states, there is a call that double criminality could be abolished.252
The United
States have developed a practice of no longer requiring dual criminality in the Mutual
Legal Assistance Treaties it concludes.253
The Danish Rapporteurs mention that
computer-related crime is one of the list offences of Article 2 Framework Decision
2002/584 on the European Arrest Warrant, which means that in extradition
proceedings double criminality will no longer be checked.254
This is also relevant for
the other forms of cooperation within the European Union based on the principle of
mutual recognition.
The dangers seem to exist when mutual assistance in criminal matters is not
requested, but simply obtained through self service. This would result in a situation in
which traditional grounds for refusal (double criminality, nature of the crime, double
jeopardy etc) could no longer be applied. Would it be possible or necessary to reduce
the application of grounds for refusal in this area? This is a relevant question as it is
reported that aside from formal international assistance, assistance is also offered
bypassing the official ways.255
The key problem or challenge once again lies with the
localization of the information or evidence needed. Especially the cloud challenges
traditional mutual legal assistance and its key elements, such as a request in advance.
Difficulty in localization of the data requested, also has an impact on international co-
operation, as it makes it difficult to know to whom to address a request for
assistance.256
The role of private parties in this cannot be underestimated as is evidenced by
reference to the Belgian Yahoo case dating from 2007.257
The Belgian authorities
249
Japan 10. 250
United States 22. 251
Argentina 5, Turkey 12. Japanese law maintains double criminality, unless in relation to the United
States, see Japan 6. 252
Spain 10. See further Draft Resolution 20: “In situations where there is a common understanding of
cybercrime offences, the trend towards the elimination of the requirement of double criminality as a
condition for mutual legal assistance should be encouraged.” 253
United States 25. 254
Denmark 5. 255
Switzerland 37. 256
Koops and others, p. 7. 257
Koops, p. 22.
32
wanted to obtain information from Yahoo and requested the Belgian branch (Yahoo
Customer Care) to assist. They refused and referred to their US headquarters. The
Belgian authorities then requested assistance from the US authorities. This is only one
example of situations in which private parties demonstrate that they do not regard it as
their task to become an assisting police officer. To a certain extent one can understand
this as delivering assistance to the police is time consuming and therefore costs
money. However, in each criminal justice system citizens can be obliged to cooperate
with investigations, even if this may cost time and money. In cyber space, private
parties operate as militias, pirates or otherwise autonomous entities and escaped this
as a result of the weakness of states to claim and defend their sovereignty.
What about obligations to retain data on information transmission? Do providers have
the obligation to organize their network in such a manner that they may comply with
all different and complicated request for assistance from law enforcement agencies of
other states?258
How could this be done with providers not having a seat in the
relevant state? Another example of a problem is when the police wishes to know who
hosts a website. The police can technically look at/in the webserver and may then
identify that the real IP-address is in another country. At that moment, the possibility
exists to obtain evidence and to make the website inaccessible for others.259
Turkish
law regards the state where the provider has its legal seat as the state to which
requests for mutual legal assistance should be send to.260
These difficulties to locate and to enforce support the case for an international
agreement that regulates under which circumstances private parties are obliged to set
up their systems in such a manner that the necessary information can be obtained. One
option could be to oblige them to localize activities in the cyber world (even applying
a legal fiction). This option could also bring relieve to the protective sight of
localization. Different standards in data protection rules are reported as an obstacle to
international assistance.261
In Argentina, Brazil and Spain, the concept of habeas data
exists, which allows the citizen to obtain knowledge and request correction or deletion
of data with regard to him.262
Another option could be that international agreement is reached on the circumstances
under which states may undertake unilateral actions, and apply specifically regulated
investigative techniques. It is interesting to see that more and more forms of
cooperation come up that can also be regarded as specific or special investigatory
methods. What these methods have in common is that it is unclear at the moment of
using them whether the offences will in the end be prosecuted in one state or in
another. In addition, the classical roles of requesting and requested state are also
blurred. The technological progress of information society will lead to a severe
decrease of both a de facto and a de jure need for mutual assistance in criminal
matters.
5. Enforcement in the Clouds
258
Japanese providers are obliged to cooperate with the Japanese police, Japan 5. 259
Koops and others, p. 46. 260
Turkey 3. 261
Turkey 12, France 23, Switzerland. 262
Brazil 9.
33
The almost unlimited possibilities of information technology do raise questions with
regard to whether states may directly enforce judgments, or provisional measures by
making use of information technology, without asking permission of whatever other
state. It seems that on this issue the wish to intervene and technical possibilities to do
so must be reconciled with the fact that it may infringe upon the sovereignty of
another state.263
In a situation in which there is a legal decision that a certain website must close down,
because it contains child pornography, hate speech or other illegal material, should it
be allowed for law enforcement agencies to hack that site in order to prevent it from
further committing crimes? It is therefore relevant to look at both the possibility of
taking provisional measures as well as enforcing final decisions.
Many states report no legal means to close down a website.264
It is often referred to
the obligations of the provider to delete illegal content. In the Netherlands this means
that the Public Prosecutor may order a provider to do something. A failure to do so is
a criminal offence.265
However, if the provider is outside the Netherlands, this cannot
be enforced.
On the basis of the Turkish Law of Internet a court may order the “precautionary
measure” of banning access to the content of a specific site. It is reported that as a
consequence of the fact that those entitled to challenge the measure before Turkish
courts may find themselves abroad, the measure may obtain a permanent character.266
The minimum necessary link for Turkey to take such a measure is that the content
may be accessed from Turkey. Polish law provides for a notice and take down
procedure in Article 14 of the Electronic Services Act 2002.267
Denmark may
confiscate a domain if it contains illegal materials, 268
Spain on the basis of Act
34/2002 on Information Society Services and Electronic Commerce,269
and Belgium
may do so on the basis of Article 39bis paragraph 3 of the Code of Criminal
Procedure.270
France may apply its “loi n° 2011-267 du 14 mars 2011 d'orientation et
de programmation pour la performance de la sécurité intérieure (LOPPSI II).”271
Italy has the legal means to deny access to Italian users by an order issued to the
service provider.272
The nationality of a website is irrelevant. If the judicial authority
decides to proceed to the seizure of a website, it issues an order to the Italian service
provider, which must disable access in Italy. The United States can make use of a
notice and take down process on the basis of a court order. There is a wide practice
263
Draft Resolution 19: “States should in particular be able to provide fast assistance, and a
provisional order to preserve data should be introduced. Such an obligation to preserve data should be
for a reasonable time only.” 264
Sweden 3, Brazil 9, Germany 15, Japan 10. 265
Netherlands 22. 266
Turkey 3 and 24. 267
Poland 8. 268
Denmark 7. 269
Spain 11. 270
Belgium 8. 271
France 23. However, this act does not allow to undertake remote fishing expeditions in personal
computers, see France 33. 272
Italy 14.
34
regarding copyright infringements.273
The National Rapporteur is of the opinion that
an international enforcement system to implement decisions, such as internet banning
orders or disqualifications in the area of cybercrime, can only be successful in the
context of a treaty that has a substantial participation from states across the world and
is implemented by an organization that has almost universal membership.274
There is
quite some skepticism regarding the feasibility of such a system.275
However, the
complexity of enforcement in a virtual world requires international agreement.276
It this becomes clear from the few states that report on the enforcement issue that,
once again the localization of where to perform the act of closing or deleting data is a
key issue. States that did take action localize the responsibility with the provider. This
is a tool that may increase the chance of being able to enforce decisions. It would be
preferable when states could reach an agreement on what they can do and not do with
and without the assistance of other states.277
This is not only relevant for investigation
and prosecution, but also for the defence. When the responsibilities are clear, it makes
it easier for the defence to claim its rights. Without clear responsibilities there is a fair
chance that also legal remedies cannot be localized.
6. The Virtual Court Room
In this paragraph we will look at the consequences of the new possibilities for the
preparation of the investigation and conducting the court hearing. Modern
telecommunication creates the possibility of contacting accused, victims and
witnesses directly. Should this be allowed, and if so, under which conditions? If not,
should the classical rules on mutual assistance be applied (request and answer) and
why?
The notification of judgements, decisions, summons and other legal documents may
have legal consequences. Similarly as to old style notifications on paper, the law will
attach these consequences also to notifications send by information technology.278
On
the basis of German law German authorities may contact persons abroad directly,
when it cannot be expected that the other state will regard this as an infringement of
its sovereignty.279
The Netherlands’ Report could imagine that suspects and witnesses
will be reached by email and will be invited to the proceedings in that manner.280
French law is very open to making use of new techniques throughout the criminal
proceedings: “L'utilisation des nouvelles technologies de la communication peut se
révéler utile pour accomplir divers actes de procédure. Elle peut l'être notamment 273
United States 34 and 35. 274
United States 36, Turkey 25, Netherlands 41, Brazil 10, Belgium 4, Spain 11. 275
Poland 9, Italy 15, Denmark 7, Japan 10. 276
Draft Resolution 2: “States should consider acceding to existing international instruments on
cybercrime or developing further international legal mechanisms in order to establish the rule of law in
cyberspace and avoid potential conflicts between states on the enforcement of their legislation and
policies in cyberspace.” 277
Draft Resolution 22: “A (provisional) decision by a criminal court to close down a server, website
or corresponding entity may be enforced directly if provided for by an international agreement or by
the law of the state in which the service provider is located.” 278
It is reported that the Nordic states are discussing this (Sweden 3). In 2010, e.g., the German postal
services introduced the electronic Zustellung, equal to a formal notification by an usher. 279
Germany 17. 280
Netherlands 51.
35
pour faciliter l'audition de témoins, experts, victimes ou accusés en cours d'enquête ou
d'instruction, voire dans la phase de jugement lors d'une audience. Cette possibilité est
offerte en France en vertu des dispositions du Code de procédure pénale relatives à
l'utilisation de moyens de télécommunications au cours de la procédure (art. 706-
71).”281
As contacts between people are more and more making use of electronic devices, the
question comes up whether the administration of justice should remain at the status of
centuries ago.282
Flight tickets are issued electronically, dentists’ appointments sent
per sms and invitations to whatever kind of meeting send by email. In some states
new acts are no longer printed on paper anymore, but only published in digital format
on the government’s website. It is reported that courts in the Netherlands may have
only digital files of the proceedings in the near future. For both aspects: the
facilitation of the administration of justice and the preliminary investigation I would
support making use of direct contacts with witnesses, victims, experts, accused and
their counsel.
Videolink testimony
Many states report a practice using videoconferences, court hearings using skype,
emailing scanned documents and so on.283
The Italian report states that: ”Information
technology can facilitate mutual legal assistance without changing its nature. (…)
Specificities of information technology make it possible to carry out traditional
activities, such as testimony, without the need for people to move to a foreign State.
(…) However, it is difficult to believe that these new methods could be applied
without the assistance of the authority of the State involved.”284
However, other
National Reports underline the changed nature: “The rise of information technology,
such as e.g. low and medium earth orbiting satellites and foreign servers, has
profoundly impacted upon the nature of mutual legal assistance. It has created a need
for cooperation and mutual legal assistance where no such need existed before by
adding an international dimension to situations which formerly were purely
national.”285
Turkish, Polish, Dutch, Italian, Danish, Spanish and Finnish law provide for
videoconferences with witnesses and experts.286
Poland (mandatory ground for
refusal) and the Netherlands (optional ground for refusal) have explicitly ruled out
video-conference with accused.287
The e-justice site of the European Union lists all
the facilities within the European Union that have the capacity for video conferences.
Whilst states are expanding the possibilities, it cannot be ruled out that the different
speed at which states can provide the technological infrastructure may lead to
281
France 32. 282
Draft Resolution 27: “Communications may be sent by the authorities directly to the accused,
witnesses, victims and experts who are physically present in another state, subject to the acceptance of
said state of this method of communication.” 283
Argentina 8, Brazil 12, Germany 17 and 18. 284
Italy 7 and likewise Belgium 6. 285
Belgium 5. 286
Turkey 28, Finland 9, Poland 10, Netherlands 49, Italy 18, Denmark 8, Spain 12. 287
Poland 10, Netherlands 50.
36
situations in which the requested state cannot offer the requested assistance, because it
does not have the technique.
Many National Reports do not see a legal impediment to make use of video-
conferences, it depends on the other state.288
Skype is an alternative to telephone
hearings, according to the Belgian report.289
The Italian report suggest that during
investigation, direct contacts with victims and potential witnesses may be allowed.290
This is different, once the trial stage has arrived. Then a formal request for assistance
must be made.291
The reluctance in Germany with regard to interrogating witnesses
finds its basis in the principle of immediacy, stipulating that all evidence should be
presented at the hearing. However, German law does provide for an exception in case
of witnesses abroad unable or unwilling to travel to the court room.292
Hearing of
accused via the screen is in most cases not possible as it violates the accused’s
obligation to be present.293
Only in minor cases, it is possible to refrain from this
obligation. The National Rapporteur for Germany refers to advantages of video-
conferences in terms of facilitation of the proceedings and a better quality of the
evidence and the use of the right of confrontation in comparison to reading out written
testimony, with which this is not possible. However, in comparison to personal
appearance of witnesses, disadvantages remain in existence, as a direct impression of
the witness is not possible.294
The National Report for France points at another limitation related to human rights
standards. Making use of testimony via video-conference must comply with the right
to a fair trial under Article 6 European Convention on Human Rights.295
States are
not completely in agreement on the question whether the physical presence of accused
or witnesses is an absolute necessity. When it comes to human rights obligations, it
must be stated that neither the physical presence of the witness nor the presence of the
accused is an absolute requirement under human rights treaties. With regard to both
exceptions are possible. It is the national criminal justice system that sets the limits
here. The question comes up whether the quest for the best evidence should always
indicate physical presence as being the ideal situation.
The Danish report: “The sovereignty of states, due process principles, and
fundamental procedural rules (e.g. translation into ones native language, self-
incrimination, and the rules related to a non-compellable witness and oath) should be
respected. Direct contact between the accused and a foreign state would make this a
difficult task.”296
It is interesting to see that both sovereignty and fair trial concerns
may lead to reluctance with states. I personally would see a need to safeguard the
rights of the individuals contacted via modern technology. Any person receiving
whatever notification must be informed about the consequence of (not) responding to
it. Persons testifying from abroad must know whether they are subject to an
obligation, perjury rules and testimonial privileges.
288
Sweden 3, Spain 13. 289
Belgium 10. 290
Similarly Belgium 9. 291
Italy 17. 292
Germany 17 and 18. 293
A question could be whether presence can be physical presence only. 294
Germany 17 and 18, Japan 13. 295
France 32 and 33, Italy 17. 296
Denmark 8.
37
The virtual court room
Do we envisage a virtual court room, in which hearings may take place, whilst
nobody is present in the real court room?297
Whilst the Brazilian report could very
much imagine such a future development, 298
this scenario is opposed very clearly in
the Italian Report.299
The Argentine report suggest that we may see a kind of “digital
litigation” in the near future: “La computación en la nube (cloud computing), será uno
de los temas con los que tendrá que lidiar en los próximos años la introducción e
implementación del expediente digital.”
The very fact that it has become increasingly simple to speak with persons abroad
through audio-visual techniques (skype, videoconference) raises the question whether
this should not lead to a higher threshold for extradition for the purposes of
prosecution. If the accused is not present in the state that prosecutes him extradition is
likely to take place. In light of the serious infringement on the liberty of the accused,
the question may be raised whether it should be preferred to conduct the trial via a
video-link.300
Also the presumption of innocence would oppose burdensome
extradition. Should we reserve extradition for convicted persons?
Security of the communication
It is necessary to verify the identity of the sender of messages via email and the
like.301
The confidentiality of the lines of communication must be secured.302
The
Convention on Cybercrime is criticized for not offering sufficient guarantees of
establishing confidentiality.303
The safety of the information must be secured. This is
one of the reasons to involve the other state.304
The protection of the reliability and
severity of the lines of communication is of the utmost urgence.305
7. Real Human Rights in a Virtual World
Gradually it becomes clear that the difficulty of localizing data, conduct and
infringements does have a severe impact on the protection of human rights. Human
rights supervisory mechanisms give rights to individuals vis-à-vis the state in which
297
Draft Resolution 29: “States should be encouraged to consider the possibility of and conditions for
the collection of evidence through digital technology, even though the individual was not physically
present at the hearing.” 298
Brazil 12. 299
Italy 8. 300
Draft Resolution 28: “On condition of the consent of the individual concerned, the possibilities of
making use of digital technology, such as videolinks, should be expanded in order to lessen the need
for such intrusive measures as extradition.” 301
Netherlands 23. 302
France 32. 303
France 36. 304
Italy 17. 305
Draft Resolution 30: “The security and reliability of the lines of communication in use by the
authorities must be of the highest standard. The communications should be protected against hacking.”
38
jurisdiction they find themselves.306
It thus requires that it can be identified that the
human rights affected are within the jurisdiction. As with everything related to
cyberspace, this may proof to be very difficult. Earlier on I considered the cyber
world to have the characteristics of an area in which responsibilities are shared. When
obligations are shared, human rights are especially vulnerable as it must be identified
which state must use its protective powers.307
The Swiss report points at the vulnerability of human rights in cyberspace: “Various
human rights of the Swiss Constitution (which often find a counterpart in cantonal
constitutions) are potentially jeopardized in the context of criminal investigations
using information technology. Among them are the right to privacy in persons’ private
and family life, in their home and in relation to their mail and telecommunications, the
right to be protected against the misuse of their personal data, and the freedom of
expression and information.”308
The German Constitutional Court developed a right to
integrity and confidentiality of computer systems, which is also applicable in a
context of cooperation.309
Swiss law obliges law enforcement officials to obey the
Constitution wherever they are.310
In sum, the rights potentially violated are the right
to privacy and freedom of expression and possibly the right to a fair trial. Other rights
that require the physical presence, such as the protection of life, the prohibition of
torture and the right to liberty are less vulnerable in the virtual world.
In their answers to the question concerning human rights no specific aspects are being
reported by the National Rapporteurs. The questionnaire was probably not phrased
well as it aimed at obtaining a picture of the responsibility that states may have for
human rights violations by other states or violations of which it is not possible to find
out the responsible state.311
The Swedish National Rapporteurs suggest that their
country may be held accountable if it were to abuse information transmitted to another
state.312
Turkish authorities may not use material as evidence if it were collected by
foreign authorities under violations of human rights rules.313
Under Japanese law,
evidence collected unlawfully elsewhere may be inadmissible in a criminal
proceeding in Japan. In a case in which accused were questioned in China, the
Japanese prosecution was present at the interrogation in China, in order to evade
concerns of human rights violations.314
The French report describes an interesting case in which US law enforcement
authorities set up an internet site destined to attract pedophiles.315
As a Frenchman
showed interest, the information was passed on to the French authorities, who made
306
Japan 11 and 12. 307
Draft Resolution 23: “States shall respect internationally recognized human rights standards also in
the context of the digital world.” 308
Switzerland 51. 309
Germany 17. 310
Draft Resolution 24: “If states act extraterritorially while investigating in cyberspace, they shall
comply with the human rights standards applicable to their jurisdiction (agent control standard).” 311
Draft Resolutions 25 and 26: “25.States should record investigations in cyberspace with a view to
ensuring state accountability in the event of violations of human rights; 26.The responsibilities of a
specific state for violations of human rights should be decided after a finding of a violation and not as a
condition for admissibility of a complaint with supervisory mechanisms.” 312
Sweden 3, similarly Italy 17, Brazil 11, Belgium 8, Germany 17. 313
Turkey 27. 314
Japan 12 and 13. 315
France 36 and 37.
39
use of it in the context of a criminal investigation. The Court of Cassation disregarded
the information obtained by the American authorities, as these were an entrapment
violating the right to a fair trial protected under Article 6 ECHR. The National
Rapporteur cites an author criticizing police authorities stating that cyber crime should
be combated with equal means. However, the rule of law obliges state authorities to
respect the right to a fair trial, even vis-à-vis persons that disrespect the law.316
8. Concluding remarks
In sum, it seems that the impact of the information society to international criminal
law is threefold. The first is that the information society creates a transnational threat
for certain legal goods, whilst other may remain unaffected by it. The second is that
the information society creates, on the other hand, a tool for criminal justice. The third
major impact relates to the loss of sovereignty. The information society has seriously
decreased (or maybe even taken away) the value and importance of territoriality. As
localisation is difficult, impossible or constantly moving this is the key issue of
cyberspace. In all respects cyberspace does not stand still long enough to allow states
to claim their sovereignty over whatever happens.
The main challenge is therefore to recognise the shared responsibility of states for the
cyber world. Whether you like it or not, criminal law and the enforcement practice
must learn to live with the loss of location. It may not be overstated to say that it is
time to rethink the application of the law. Osinga described this as follows: “Yet we
use the lexicon of the physical world to describe cyberspace – we “enter”, “navigate”,
“move through’, there are sites, we surf, we store, and sometimes we get lost in it, yet
there is no “there” there: it is a de-territorialised space. And unlike the other domains,
cyberspace has no physical obstacles, nor “real” boundaries like a shore. Moreover,
distance and time make no sense in the traditional meaning, indeed, in cyberspace
distance disappears. Data can appear simultaneously, or almost, at various places.”317
This raises the question whether we should also take into consideration that
localisation may not be possible. This General Report departs from the presumption
that such localisation is possible, either directly, or by making use of a legal fiction,
such as localising data at the provider.
The general feeling reading all the national reports is that both state legislation as well
as conventional treaties lay far behind what is technically possible and that it is time
to take a few steps. In the Brazilian report this is summarised as follows: “en tiempos
en los que la información trafica de manera excesivamente veloz y sin respetar
fronteras, la armonización legislativa entre los países puede generar efectos benéficos
al combate de la criminalidad informática.”318
This is necessary to evade the coming
into being of a state of anarchy.
As no state is able to completely enforce its legislation in the cyber world, human
rights are unprotected in the virtual world. Maybe this can be remedied if also human
rights obligations are localized. Following rules of localization of conduct and data, it
316
France 37, footnote 95, citing Chilstein. 317
Frans Osinga, Introducing Cyber Warfare, in: Paul Ducheine, Frans Osinga, Joseph Soeters (eds.),
Cyber Warfare, Asser Press, The Hague 2012, p. 9. 318
Brazil 5 and 6.
40
appears that the provider could be taken as linchpin to applying the legislation of a
specific state. It is logical that if a state applies its legislation to something, that it
brings about the application of human rights as well.
The freedom created by cyberspace does have many sides from which the individual
has benefited. However, it emerged that also serious dangers to this freedom exist.319
If states are not able to find a way to shape their responsibility over the internet and to
bring it under the rule of law, cyber space equalizes a state of anarchy. That would
result in a world in which organized crime rules and human rights have no meaning.
319
See Explanatory Report to the Convention on Cybercrime, par. 1-6.
41
Draft Resolutions Section 4
Preamble
The participants of the Preparatory Colloquium for Section IV held in Helsinki from 9
to 12 June 2013 propose the following resolutions to the XIX International Congress
of Penal Law, to be held in Rio de Janeiro from 31 August to 6 September 2014:
Considering that people’s lives in the 21st century are heavily influenced and shaped
by information and communication technology (ICT) as well as by the opportunities
and risks that accompany information society and cyberspace, and that therefore
crimes in these areas affect important personal and collective interests;
Noting that states share sovereignty in cyberspace and have a common interest in its
regulation and protection;
Recognizing that states have made considerable efforts to vest jurisdiction and
determine the locus delicti of offences that may affect the integrity of ICT systems
and cyberspace as well as the related interests of persons and society;
Keeping in mind the particularities of cyberspace, such as the speed at which data
flows, its volatility, and the fact that it can be accessed anywhere in the world;
Recognizing further the difficulties in localizing information and evidence in
cyberspace;
Stressing the fundamental importance of the protection of human rights, in particular
the principle of legality, the right to privacy, the right to a fair trial, the principle of
proportionality in the investigation and prosecution of offences, and in general all the
rules and principles regarding due legal process;
Referring to international and regional instruments that seek to guide and coordinate
efforts and to harmonize legislation, such as the Budapest Convention on Cybercrime
of 23 November 2001, EC E-Commerce Directive 2000/31/CE, EU Framework
Decision 2005/222/JHA on attacks against information systems, EC Data Retention
Directive 2006/24/CE, the Commonwealth of Independent States Agreement on
Cooperation in Combating Offences related to Computer Information of 2001, the
Arab Convention on Combating Information Technology Offences of 2010, the
Shanghai Cooperation Organization Agreement on Cooperation in the Field of
International Information Security of 2010, and the draft African Union Convention
on the Establishment of a Legal Framework Conducive to Cybersecurity in Africa of
2012;
Building on the debates and resolutions of past International Congresses of Penal
Law, especially the resolutions of Section II of the XV International Congress (1994)
held in Rio de Janeiro, on computer crimes and other crimes against information
technology, and the resolutions of Section IV of the XVIII International Congress
(2009) held in Istanbul, on universal jurisdiction;
recommend the following:
42
A. General Considerations
1. States should develop a coherent response to the challenge of cybercrime,
in particular by keeping their legislation and practice under review in
order to ensure that their criminal law, criminal procedure and mutual
legal assistance regimes meet the needs of today’s interconnected
globalised world.
2. States should consider acceding to existing international instruments on
cybercrime or developing further international legal mechanisms in order
to establish the rule of law in cyberspace and avoid potential conflicts
between states on the enforcement of their legislation and policies in
cyberspace.
B. Substantive Jurisdiction and Locus Delicti
3. The principle of territoriality remains the primary principle of jurisdiction
also in cyberspace.
4. States should exercise restraint in the establishment of extraterritorial
jurisdiction, with a view to preventing conflicts of jurisdiction rather than
relying primarily on their resolution once they occur.
5. With the exception of those crimes for which universal jurisdiction is
accepted under international law, a state may not apply universal
jurisdiction de facto or de jure in cases of prohibited content in
cyberspace.
6. Offences may have more than one locus. States may establish a locus
delicti within their borders if conduct takes place there or causes effects
there.
7. States should exercise restraint in applying the effect theory in situations
in which the effect is not “pushed” by a perpetrator into the state, but
“pulled” into it by an individual in that state.
8. In determining effects, states shall consider the existence of a particular
nexus with the offence, such as the intent of the perpetrator.
9. When a state localizes the effects of an offence within its borders, the
principle of legality requires that the perpetrator could have had a
reasonable expectation that his or her conduct would cause effects in that
country.
43
10. A state may exercise its jurisdiction over an individual on its territory
who “pulls” content that is prohibited under its own legal system, even
though it is legal under the legal system of the producer.
11. States may consider establishing corporate criminal liability for legal
entities with regard to cybercrime.
C. Investigations in Cyberspace
12. No state has exclusive sovereignty over the publicly accessible IT
networks.
13. Law enforcement agencies, in the same way as citizens, have the right to
navigate the free IT networks without permission from providers, and
regardless of where the content looked at is stored.
14. States should consider establishing, under national law, an obligation on
service providers to cooperate with law enforcement agencies, by making
data transfer in the cyberworld traceable, giving access to passwords,
decrypting content or installing search devices for investigative purposes.
This obligation is subject to the principle of proportionality.
15. All persons are entitled to the protection of a national legal system, if
there is a legitimate expectation of protection by that system.
16. States may, subject to national law, freely use evidence that they find on
publicly accessible IT networks.
17. Regardless of the nationality of the person in question, no state may
apply coercive measures in another state, unless permitted by the
territorial state.
D. International Cooperation in Criminal Matters and Enforcement
18. States should implement the necessary investigative techniques that
enable them to provide mutual assistance in respect of cyber offences, on
the basis of the proportionality principle.
19. States should in particular be able to provide fast assistance, and a
provisional order to preserve data should be introduced. Such an
obligation to preserve data should be for a reasonable time only.
20. In situations where there is a common understanding of cybercrime
offences, the trend towards the elimination of the requirement of double
44
criminality as a condition for mutual legal assistance should be
encouraged.
21. Information obtained through mutual legal assistance for investigative
purposes may, subject to national law, be used for evidence.
22. A (provisional) decision by a criminal court to close down a server,
website or corresponding entity may be enforced directly if provided for
by an international agreement or by the law of the state in which the
service provider is located.
E. Real Human Rights in a Virtual World
23. States shall respect internationally recognized human rights standards
also in the context of the digital world.
24. If states act extraterritorially while investigating in cyberspace, they shall
comply with the human rights standards applicable to their jurisdiction
(agent control standard).
25. States should record investigations in cyberspace with a view to ensuring
state accountability in the event of violations of human rights.
26. The responsibilities of a specific state for violations of human rights
should be decided after a finding of a violation and not as a condition for
admissibility of a complaint with supervisory mechanisms.
F. Virtual Court Room
27. Communications may be sent by the authorities directly to the accused,
witnesses, victims and experts who are physically present in another
state, subject to the acceptance of said state of this method of
communication.
28. On condition of the consent of the individual concerned, the possibilities
of making use of digital technology, such as videolinks, should be
expanded in order to lessen the need for such intrusive measures as
extradition.
29. States should be encouraged to consider the possibility of and conditions
for the collection of evidence through digital technology, even though the
individual was not physically present at the hearing.
45
30. The security and reliability of the lines of communication in use by the
authorities must be of the highest standard. The communications should
be protected against hacking
